Time synchronization attacks constitute a major threat to phasor measurement unit-based smart grid applications, and their cost-efficient detection and mitigation is thus of utmost importance. In this article, we propose a mitigation approach based on authenticated network-based time synchronization. Our approach relies on the observation that a time synchronization attack can be undetectable if and only if it targets at least three time references in the power system, and such attacks need to be mitigated through appropriate security controls. We first provide a formal proof of this result, including a characterization of the degrees of freedom of the attacker in constructing an attack. We then formulate the problem of mitigating undetectable attacks at minimum cost as an integer linear program, and prove that it is NP-hard. To solve the problem, we propose two approximation algorithms based on computing shortest paths and solving a linear relaxation of the problem. Extensive simulations suggest the superiority of the proposed algorithms on IEEE benchmark power system graphs compared with baseline solutions. We report mitigation cost savings of at least 76% compared with a naive approach for mitigation and at least 30% compared with the state-of-the-art approach.