You might’ve heard that 2FA (two-factor authentication) is a good way to secure your accounts. When using 2FA, you use a password and a second factor to authenticate you and give you access to an account. That way a hacker can’t get into your social media, your bank, or your email just by knowing your login and password (and trust us, your password’s probably out there already).
There are multiple ways of securing your accounts via 2FA and you might’ve heard that SMS 2FA (where a text message consisting of a single-use code is sent to your phone) is actually an insecure choice. There are various blog posts and security experts who disparage the use of text messages for 2FA, calling it a high-risk method.
We’re here to dispel those rumors (kind of) and give you an honest look into why SMS 2FA is worth considering when you want to enable 2FA.
How insecure is SMS 2FA really?
The main problem with SMS 2FA is that SMS and mobile devices have underlying vulnerabilities. Your phone and its communications are vulnerable to attacks and interceptions. Text messages have a known vulnerability in the way they currently work that allow hackers to intercept messages and read what’s being sent to you.
Hackers can also spoof (impersonate) your device so that messages are sent to their devices – that’s another way they can obtain your 2FA codes. Then there’s the possibility of malware infecting your device so that a hacker can see what’s on your screen.
However, despite these vulnerabilities and risks, the chances of your device or text messages becoming compromised are pretty low. It’s not hard to find stories and instances of these vulnerabilities leading to people getting hacked but this are usually due to the fact that:
- The target is a high value (or famous) target
- The target works in a high-risk industry (think government, journalism, etc)
If you don’t fit those profiles, you’re likely safe from an attack that targets your phone or messages for the purposes of seeing your SMS 2FA messages.
How secure is SMS 2FA for you?
Hackers are always looking for easy targets and low-hanging fruit. They’re not looking to make complicated attacks, which would be the case if they want to exploit SMS vulnerabilities, intercept your messages, or spoof your mobile device.
If they’re just looking to get into a person’s social media, email, or bank account, they’ll likely target someone who doesn’t have any 2FA enabled. Passwords and usernames are pretty much out there and up for grabs (this is what happens when data breaches happen on a weekly basis). If a hacker wants to get into an account, they’re likely to just look for whatever target hasn’t enabled 2FA on their accounts. It’s much easier than trying to intercept text messages or install malware on a phone.
Which brings us to our main point.
The practical approach – SMS 2FA is easy, simple, and secure
Using SMS 2FA is much better than not having any 2FA enabled. If you’re only using passwords and then enable SMS 2FA on your email, bank, and social media accounts, you’ve vastly improved the security of your accounts and your private life. Sure, it means you have to have your phone when you log into those accounts, but it’s a very small price to pay to make sure that hackers move on to a different target if they’re trying to steal your information.
There are other methods of 2FA that are more secure but those involve installing other apps or even carrying a physical device as an authenticator. If you’re used to passwords only, these extra steps may be too much of a burden.
If you consider yourself a high-value target (trust us, it’s not a good thing), then you may want to consider other forms of 2FA. But unless you are, the simplest and easiest way to keep your accounts secure is to enable SMS 2FA.