How-To Geek SMS Two-Factor Auth Isn't Perfec

April 13, 2020, Kathmandu

There’s always a negative side to something good. Using two-factor authentication, or 2FA also has a downside. You might risk getting codes over SMS or text message.

The coronavirus pandemic has given a golden opportunity for hackers and scammers to prey on people’s fears. The threat actors have tried it all – from SIM swapping to phishing campaigns and stimulus check emails. As a result, it would be a very good time to look out for any suspicious activities on your account and email.

You would be wise to use two-factor authentication (2FA) to secure your personal information. And, you’d be even wiser to use an authentication app over SMS or text to receive codes.

But why? We will explain it in this article.

The authentication apps have their own perks. It is a more secure way to receive codes than in texts. The login process is also quicker. So basically, it’s a win-win situation.

What is two-factor authentication?

That is actually a good question. Don’t you want to know what the fuss is all about?

Well, here it goes.

2FA is an extra layer of security that makes sure that people trying to gain access to an online account are who they claim to be. How it works is first, a user will enter their username and password. Then, instead of immediately logging in, they will have to verify their identity.

How? That’s where 2FA comes in!

They will be required to provide another piece of information, e.g., a code sent on their SMS.

Even this piece of information can be one of the following:

  • Something you know

This could be a PIN, a password, an answer to a security question, etc.

  • Something you have

You can gain access to your account with something in your possession, like a credit card, smartphone, or a hardware token.

  • Something you are

This is somewhat an advanced category. It requires a biometric pattern of a fingerprint, an iris scan, or voice authentication.

Why Stop Using SMS?

Let’s just say that SMS is by far the least secure way of gaining access to your account via 2FA. Hackers have been able to trick your SIM carriers into porting a phone number to a new device – SIM swap. Now, once the hacker has redirected your phone number, they no longer require your physical cell phone to gain access to your 2FA codes.

Think of it as phone cloning, except your SMS will be redirected to the hacker and you will not know anything about it.

That’s not the end of it!

In fact, if you sync text messages with your laptop or tablet, the hacker could gain access to SMS codes by walking off with such a device of yours.

Hmm, that sounds troubling…

Well, it is troubling considering the weaknesses in the mobile telecom system itself. In something called an SS7 attack, a hacker can spy via the cell phone system, listening to your calls, intercepting text messages and viewing your phone location.

We hope you get how bad it could turn out to receive 2FA codes via SMS or text.

What to use instead?

Well, there are a couple of authentication apps for you such as Google Authenticator, Microsoft Authenticator or Authy. These apps make sure you don’t rely on your carrier, thereby lifting off the risk of an SMS swap. Moreover, the codes expire quickly, usually after 30 seconds or so.

Most people that have enabled 2FA on Facebook might know what we are talking about. It’s the same concept.

In addition, the authentication apps are faster, and you may get access by simply tapping a button to verify your identity. No codes, no password needed to enter.

In fact, if you have an Android phone or iPhone with the Google search or Gmail app, you can set up Google prompts to receive codes without having to install a separate authenticator app.

You will receive push notifications on your phone that require a simple tap to approve.

So much quicker, reliable, and convenient!

 Isn’t it?

Do I really need two-factor authentication?

If you want to secure your online account and data, you sure do need it. Using stronger passwords and security questions is one thing. And, setting up 2FA can be the best move you make to secure your online privacy.

We would choose two-step verification over one-step any day. After all, our online data and activities are on the line. Hackers target the weak accounts and it’s almost sure that without 2FA, your account could be next.

It might sound like a hassle but compare it with the hassle of getting hacked.

For more ways to stay safe online, check out how to secure your online presence


Please enter your comment!
Please enter your name here