Passwords alone aren’t safe (they’re easy to guess, crack, or steal) so it’s smart to take advantage of two-factor authentication (2FA) whenever it’s offered. 2FA makes your accounts MUCH more secure by requiring a second code, obtained from a different source, to get into your accounts. (Read more about it here.)
You’re already using 2FA on your Google, banking, Apple, social media, and other important accounts, right?
The default method of using 2FA is to receive codes via SMS. In many cases, it’s the only option available, although sites are increasingly supporting the use of authenticator apps and even hardware keys as options too.
Using SMS 2FA is absolutely better than not using any kind of two-factor authentication at all, but is it good enough? Lately there has been a lot of chatter about the risks and deficiencies of SMS 2FA, and while it is imperfect that doesn’t mean it’s not right or good enough for you.
We’d hate to see people opt out of this extremely useful security upgrade because of incomplete or inappropriate advice. Here’s what you should know:
What’s Wrong with SMS 2FA?
The risk in SMS 2FA is that SMS itself isn’t very secure. Bad guys can redirect your text messages to another device, or intercept them, in several different ways. In theory, this means they can get your 2FA codes and render the ‘extra security’ ineffective.
While intercepting the SMS of a targeted person isn’t that hard, most people (especially the general public) will never be targeted. In other words, nobody is going to explicitly try to hijack your mobile SIM or listen in on your digital traffic. That kind of work is hard, expensive and time consuming – unless you’re a ‘high value target’ with a lot of money or particularly valuable data, hackers are unlikely to invest that much effort to target you because it’s not worth it.
If you’re someone with a specific job, lifestyle, political views, or have anything else that may place you in a high-risk category, then by all means upgrade past SMS and use better 2FA methods. But if you’re not, then SMS 2FA is probably good enough, and again, it’s hundreds of times more secure than not using it. Use it.
Pros and Cons
Let’s look at it another way. Below is a breakdown of both sides of the SMS coin to give you a complete picture.
- SMS is convenient. With mobile phones everywhere now, receiving an SMS message is easy for just about anyone.
- SMS is built-in. There’s no need to download an app or install something separately. If you have a phone, you’re capable of using SMS 2FA.
- SMS is quick. The messages arrive quickly. At most it might take a minute or two for it to come through.
- SMS alerts you of malicious activity. If someone is attempting to break in to your account, you might receive SMS messages that tells you something is amiss. That means it’s time to change your password. Aren’t you glad you decided to use 2FA?
- SMS is insecure. Hackers can swap out your SIM card and steal your phone number, giving them access to all your SMS messages, including authentication ones.
- SMS has trust issues. The companies using your phone number for 2FA now may use that information for other purposes, like advertising, or for monetary gain.
- SMS is visible. Others can see SMS passcodes sent by SMS if lock-screen notifications are enabled.
- SMS messages can be intercepted. SMS messages with passwords can be intercepted if your device has been compromised with malware allowing hackers to either see what messages you’re receiving or see what you see on your screen.
- SMS has a known flaw. SMS messages can be intercepted through a basic flaw in the SS7 protocol used to transmit the messages. This allows hackers to spy and see the messages that are being sent. In the past, hackers were able to steal authentication codes in Germany and drain victims’ bank accounts.
- SMS gets a bad rating from the government. NIST, the National Institute of Standards and Technology, declared years ago that the age of SMS-based 2FA is done, particularly highlighting the vulnerabilities of SMS 2FA when they’re used on virtual phone numbers.
While some of these exploitation methods listed might seem far-fetched and labor intensive for criminals, they are not. All of these scenarios have been observed and used in practice to steal data. But usually when an attacker has a specific target who is worth their time and effort. Anyone with a high risk profile, or anyone who wants better security should use authenticator apps or hardware keys when possible.
However, make sure the account is only using that form of authentication, even in the case of account loss. If your backup form of authentication is SMS, then that vulnerability is still there for hackers to take advantage of.
That being said, if you have a normal to low risk profile and/or the service doesn’t offer other forms of authentication, having SMS 2FA is better than not having SMS at all.