Skip to main content

It's time to stop using services that force you to use SMS-based 2FA

Using SMS for two-factor authentication offers nothing except a false sense of security.

You should be using two-factor authentication on every single online account you have. It doesn't matter how rich or how famous you are (though the rich and famous should probably do even more to secure their identities) because everyone has something of value hidden in their online accounts. Companies like Google and Facebook offer everything for free because our online data is so valuable.

Using two-factor authentication (2FA) isn't designed to be easy because proving that you're really who you claim to be should have a barrier attached. Unfortunately, many people think this barrier is too high or too inconvenient and skip 2FA altogether. I'm not going to stand on a soapbox and explain how wrong that is because that's been done to death. You know why you should use it and have made a decision.

But for those who do choose to secure online accounts with 2FA, there's another issue: many companies only offer using SMS to authenticate you. That means when you try to sign in the first time from a new phone or computer, you receive a text message on the number the company has on file for you. It sounds simple, but it's as bad or worse than not using 2FA at all because of the false sense of security it gives.

It's not really easy to "steal" your phone number by fooling a carrier into giving you a new SIM card because it involves convincing someone to do a thing they aren't supposed to do. But we all know that happens. It's also not easy to intercept an SMS, even though the methods to do so have been around for a long time. But it's simple — and cheap — to pay a company to reroute SMS messages from one number to another.

Businesses do need to forward SMS messages, but there has to be some oversight.

There is a legitimate need for rerouting SMS messages, such as having a help desk offer support through texting using a business landline or virtual number. The problem is that there is no regulation that makes sure the companies that offer such services actually prove you own the number that's being redirected. You simply fill out an online form, send a few dollars, and lie on an application.

This is a huge issue that needs to be addressed, and soon. Many of us will carry the same phone number with us throughout our lives; your phone number really is part of your identity. I don't know how to fix this issue without introducing new laws made by people who have no idea how the technology works or letting this particular industry police itself. Both options here are bad, so I'll let the experts figure it out.

It's not hard to see the enormous threat to safety and security this kind of attack poses. The FCC must use its authority to force phone companies to secure their networks from hackers. Former Chairman Pai's approach of industry self-regulation clearly failed. — Senator Ron Wyden

What I can do though, is say that we all need to stop using services that only offer SMS as a method for 2FA. Period, full stop.


The experts that oversee security at your bank or a retailer or any other service that offers a way to do business online know how bad using SMS for 2FA is. That doesn't seem to make a difference in many cases as you'll find plenty of otherwise reputable businesses that offer it as the only option. I assume it's partially because using SMS for 2FA is easy, and it would cost money to switch the system to use a method that's actually secure.

An authenticator app is just as easy to use as getting SMS codes.

It's equally difficult for many to make that switch, even if they find the right service that offers basic security standards. Using SMS is easy and works from any device that can receive text messages. We all know how it works; get the code in a text, enter the code in the little box, and press submit. It works on a cheap Android phone or even a dumb phone.

What many don't realize is that using something like a software-based 2FA authentication app like Google Authenticator, Authy, or Microsoft Authenticator is just as easy. You don't wait for a code, you open the app and choose the service and one is provided instantly.

Other methods like using a USB or wireless security key are also fairly easy once you find the right hardware that works with your devices, but for most people, using a software authenticator app is the right choice. It's not 100% "hackproof" either, but it's not something that's trivial to exploit.

It's worth switching services to find one that cares about your account security.

Switching how you get your 2FA codes is the easy part, though. What if your bank only uses SMS (or even worse, a voice call) for 2FA? Should you switch banks? Yes. And tell them why you're switching because someone in the IT department knows you're making the right decision to make the switch.

The good news is that most popular services and service providers now offer the option to use an authenticator app. Amazon, Twitter, Google, Apple, Microsoft, and even Facebook will let you use an authenticator app when you set up 2FA or allow you to make changes to the way you get your codes. But there is a real chance that a service you need to use isn't on board just yet and only offers SMS as an option. It's time to ditch those services and find one from a company that cares at least a little bit about your account security.

Source: androidcentral

Popular posts from this blog

Genshin Impact: When does Update 2.0 release in my region?

Best answer: Server maintenance for Genshin Impact Update 2.0 will begin at 6 a.m. China Standard Time on July 21 (6 p.m. ET / 3 p.m. PT on July 20). Maintenance is expected to last around five hours and will occur simultaneously for everyone. Does Genshin Impact server maintenance vary by region? Regardless of what time the server maintenance occurs, it will happen simultaneously for everyone. Server maintenance generally lasts around 5 or 6 hours, but given that Update 2.0 is the biggest one yet, it could potentially take even longer. Update 2.0 will release worldwide on July 20 or 21 depending on your time zone. What does Genshin Impact Update 2.0 include? There's a whole lot of content coming with Genshin Impact Update 2.0 . One of the biggest additions is the Inazuma region, which will be the first major region to be added to the game since its launch. It consists of six major islands with ports, mountains, shrines, villages, and more. With Inazuma also comes a new A

Unmaze for Android is a stunning adventure through a sinister labyrinth

In a world of light and shadow, guide your loved ones through the maze before monstrosity overtakes them. Your little brother and your boyfriend have been missing for two days. Search parties and authorities aren't turning up any leads, and there's been a string of unsolved missing person cases in your town recently. Looking for answers, you find a strange blue crystal and some ominous notes about a lost civilization in your brother's room. And when you look into the crystal, you can see and hear your boyfriend?! This fascinating horror mystery setup is how Unmaze kicks off, and the plot only thickens from there. You play as Ariadne, a young woman trying to help recover her boyfriend, Theseus, and her younger brother, Asterion, from a mystical maze that she can only see through the crystal she found in Asterion's room. This phenomenal, weird title is definitely going in with the best Android games . Mechanically speaking, the gameplay in Unmaze is very simple,

There are many ways to copy and paste things from your Chromebook

It should come as no surprise that as time has passed everyone by, the best Chromebooks have progressed and become true productivity machines. And while there are a lot of awesome Chromebook tips and tricks that you won't find elsewhere, you'll likely want to know how to do some of the more basic tasks. One such task performed a plethora of times per day is simply copying and pasting text or other items from one place to another. So here's how you can copy and paste on a Chromebook. How to copy and paste with the touchscreen Locate the text that you wish to copy and paste. Double-tap the screen on the text that you wish to copy. Drag the highlight handles to highlight all of the text you want to copy. From the pop-up menu, tap Copy . Navigate to the area where you wish to paste the text. Tap and hold in the space where you wish to paste. Tap Paste from the menu that appears. Using the touchscreen on your Chromebook can be a bit finicky from time

How to watch Big Brother 2021: Stream season 23 online live from anywhere

Big Brother returns for its 23rd season this week with a new cast of hopeful competitors all vying for a $500,000 cash prize. Amidst twists, turns, betrayals, and backdoors, the sixteen new houseguests are in for a wild summer that promises to be one to remember. Season 23 of Big Brother will feature a BB Beach Club theme and kicks off with a 90-minute premiere episode where, for the first time ever, the houseguests will be given a double-or-nothing offer that might be too good to pass up. And of course, the Big Brother Live Feeds are returning this year as well. Paramount+ subscribers will have 24/7 access to several cameras in the house so those interested can keep up with what's going on inside even when the show's not airing. CBS All Access was transformed into Paramount+ earlier this year, so all the Big Brother content that was available there including the live feeds and the CBS All Access original show Big Brother: Over The Top is available on Paramount+. B