Two-factor authentication over SMS can do more harm than good. It’s time we stop using it and for companies to stop offering it.
You should always enable two-factor authentication whenever a service or account offers the option. In fact, if a service doesn’t offer 2FA, you should look into using a similar service from a different provider. You are the only person who can truly protect your online identity and 2FA is a big step towards doing it.
But not all 2FA is equal. 2FA is simply a second means of proving you are who you claim to be and there are several ways it can be done. You can use an app like Authy, use a security key like the ones offered by Yubico, or use Google’s Titan Security solution through your Pixel phone or a stand-alone key. You can also use SMS to have a code sent to you when you need it, even though you never should.
The problem isn’t with the idea. Getting a 2FA code via a text message isn’t all that different from getting one from an authenticator app. The issue is with the execution. When you rely on SMS for those codes, you’re subject to things like a man in the middle attack, where someone intercepts your messages, or SIM jacking — that’s where someone convinces your carrier to give them a new SIM card using your number. Once that happens, you no longer control access to your account.
This isn’t just a theory, either. Security experts have warned against using SMS for authentication for years and the recent YouTube hacks show us that it’s a real thing that happens to real people. When you run a popular YouTube channel you’re a prime target for hackers of all sorts, but you don’t have to be famous or any sort of influencer to fall victim to identity theft.
It’s also pretty easy to blame the user whenever you see something like this happen. Yes, a tech YouTuber who knows the ins and outs of how all this works should have known better than using SMS to secure his business. But maybe, Google should know better than to even offer SMS-based 2FA as an option.
Google isn’t alone here, either. Most services that offer 2FA as a way to protect an online account (don’t get me started on services that don’t even offer it) will be happy to let you use SMS to get a code. The people in charge of security at these businesses know that SMS based 2FA isn’t something we should be using. And if you don’t know it, you might use SMS and think your account is as secure as it would be had you chose to use an app or a security key.
2FA over SMS can be handy if you lose your phone, but it’s still not worth the risk.
Doing away with SMS 2FA codes isn’t something to be taken lightly. The same things that make it bad are also the things that are good about it — all you need is a dumb phone and your number to get access to your account. You don’t have to worry if you lost your phone and can’t access your email without a code from an app or if you lost your keychain with a security key attached.
Some accounts could just dump SMS-based authentication without any issues. Even Apple was able to do it, but this is possible because almost nobody uses an icloud.com email address as a primary contact and can still have access to mail from Google or Microsoft if they lose their iPhone. Plus Apple offers in-person customer support where you can physically prove who you are. Being able to communicate or visit the person who can help is important.
Security experts can surely think of a better way.
I just can’t help but remember the people who are security experts at big tech or big banking are supposed to be really smart at all of this. Maybe those people really smart people can figure out a better solution while we wait for the inevitable replacement for 2FA through something like spatial awareness. Heck, it could be as simple as a phone call where you provide information nobody else could know. Those smart people can surely figure something out.
I mentioned earlier that it’s up to all of us to protect and secure our online identity. We should know all about SIM jacking and man in the middle attacks and all the ways SMS can be compromised. The truth is that most of us don’t and think getting a text message is a secure way to protect ourselves. An even sadder truth is that we have to worry about it at all, but that’s just how things are. You wouldn’t use a barn hasp to lock your car, so don’t use SMS to lock your identity.
Stay protected with the best VPNs in 2020