We recommend two-factor authorization (2FA) for everyone. It provides a huge amount of additional security to protect your accounts, reducing hacking by over 99% according to both Google and Microsoft. For most people, enabling 2FA using SMS is all the protection they’ll ever need.
2FA – for those who don’t recognize the acronym – is a second factor beyond your password that enables you to log into a device or an account. The most common example is the codes or set of numbers you receive via a text message when you try to sign on to a bank or other important account. This is known as SMS 2FA. It’s a way to ensure that the person who’s signed on is really you – because after all you’re the only one with access to your mobile phone and text messages.
However, this form of 2FA isn’t foolproof, and for some, it’s necessary to move up to a more secure form of 2FA, like using an authenticator app or a security key.
SMS itself isn’t very secure
If we’re to rely on SMS for such an important security function, we’d want SMS itself to be secure. Unfortunately, it really isn’t – it just wasn’t designed to stop those who really wanted to intercept messages.
There are two flaws in the system:
SMS snooping and spying
The technology behind SMS messages has not been updated in a very long time. And there is no evidence that telecommunication companies have placed much of a priority on fixing any of the privacy or security issues plaguing SMS. One particular flaw, identified within the SS7 message protocol, allows snoopers and hackers to easily intercept and essentially read your messages, including any codes that are sent to you for logging in.
The other problem is that SMS sends messages to your phone number, and it’s not that hard to re-assign your phone number to a new phone. You’ve done it yourself when upgrading your phone and they quickly ‘move’ your number from your old phone to a new one.
But what if someone ‘moved’ your number to a different phone, and you hadn’t given them permission? It’s an attack called SIM-Jacking and it happens a lot. Basically, a hacker impersonates their target in order to transfer wireless service from your phone to a phone they have – instantly giving them access to your messages, phone calls, and anything else associated with your number. From there, hackers can make quick work to reset passwords, get the necessary 2FA codes, get into any number of accounts, and cause a lot of financial damage.
So is SMS not secure enough for 2FA?
While these risks are real and there are many stories of people who have had their SMS messages intercepted, the risk to the average person is quite low. SMS is only a risk if you are a target.
In other words, if you’re famous or very wealthy or have somehow grabbed the attention of someone who might *really* want to break into your various accounts, then you probably should NOT rely on SMS as a key piece of your security system.
But if you’re not a target, just a normal person that nobody is staying up late trying to hack, then SMS 2FA is a great security component because it prevents you from being caught up in the consequences of larger-scale hacks. This is usually the case where all the passwords from one stolen system are tried in another system, or where someone gets a list of emails and tries every possible password to see if one of them lets them into the account. 2FA stops these types of attacks, and SMS 2FA works just as fine.
Note: If you are or may be at risk of being a target, and must stick with SMS, you can reduce your risk of falling victim to a SIM-Jacking attack by requesting a no-port option from your mobile phone service provider or putting additional security measures (like a PIN number) on your mobile carrier account. But this has proven only marginally effective.
Upgrading from SMS 2FA
If you are a high profile figure or someone that may be a target, hold a lot of cryptocurrency (a characteristic shared by many SIM-jacking victims), or just want to make your accounts as secure as possible, choose an alternative form of 2FA.
There are three other forms of 2FA we recommend – authenticator apps, on-screen prompts, and security keys.
These are apps you install on your phone and they work similarly to SMS 2FA with a little more set up. You add whatever account you need secured on the app (we like Authy and Google Authenticator) and from there, a code will generate and continuously refresh. After entering your password, you check your app, enter the code, and are able to access your account.
Because the authenticator app resides on your phone, the codes can’t be intercepted by SMS snooping and SIM-jacking won’t give hackers access to the app or its codes.
Google is best known for this method and it works by registering an alternative device with Google. If you, for example, log into your gmail on a desktop, laptop or other device, Google will send a confirmation prompt to a registered device to ensure it’s you. If it was you logging in, you confirm it. If not, you don’t.
A security key is a small physical device that you can plug into your device to confirm authentication. This is the most secure way of logging in as a hacker would need to have access to your security key in order to access one of your accounts. Our recommendations include Yubikey and Google’s Titan key.
SMS is great for 2FA until it isn’t
Using SMS 2FA is worlds better than not using 2FA at all. For nearly everyone, it virtually eliminates account takeover. We recommend SMS 2FA for almost everyone. But, if your security needs or desires are higher – for whatever reason – upgrade yourself to an authenticator app or a security key. These are almost completely hack proof no matter how hard the bad guys try.