Latest News

It’s time to stop using SMS for two-factor authentication


Wee little Android guys

Wee little Android guysSource: Jerry Hildenbrand / Android Central

You should always enable two-factor authentication whenever a service or account offers the option. In fact, if a service doesn't offer 2FA, you should look into using a similar service from a different provider. You are the only person who can truly protect your online identity and 2FA is a big step towards doing it.

But not all 2FA is equal. 2FA is simply a second means of proving you are who you claim to be and there are several ways it can be done. You can use an app like Authy, use a security key like the ones offered by Yubico, or use Google's Titan Security solution through your Pixel phone or a stand-alone key. You can also use SMS to have a code sent to you when you need it, even though you never should.

Check out all of the best VPN services you can use in 2020

The problem isn't with the idea. Getting a 2FA code via a text message isn't all that different from getting one from an authenticator app. The issue is with the execution. When you rely on SMS for those codes, you're subject to things like a man in the middle attack, where someone intercepts your messages, or SIM jacking — that's where someone convinces your carrier to give them a new SIM card using your number. Once that happens, you no longer control access to your account.

This isn't just a theory, either. Security experts have warned against using SMS for authentication for years and the recent YouTube hacks show us that it's a real thing that happens to real people. When you run a popular YouTube channel you're a prime target for hackers of all sorts, but you don't have to be famous or any sort of influencer to fall victim to identity theft.

Google two-step authentication

Google two-step authenticationSource: Android Central

It's also pretty easy to blame the user whenever you see something like this happen. Yes, a tech YouTuber who knows the ins and outs of how all this works should have known better than using SMS to secure his business. But maybe, Google should know better than to even offer SMS-based 2FA as an option.

Google isn't alone here, either. Most services that offer 2FA as a way to protect an online account (don't get me started on services that don't even offer it) will be happy to let you use SMS to get a code. The people in charge of security at these businesses know that SMS based 2FA isn't something we should be using. And if you don't know it, you might use SMS and think your account is as secure as it would be had you chose to use an app or a security key.

2FA over SMS can be handy if you lose your phone, but it's still not worth the risk.

Doing away with SMS 2FA codes isn't something to be taken lightly. The same things that make it bad are also the things that are good about it — all you need is a dumb phone and your number to get access to your account. You don't have to worry if you lost your phone and can't access your email without a code from an app or if you lost your keychain with a security key attached.


Some accounts could just dump SMS-based au thentication without any issues. Even Apple was able to do it, but this is possible because almost nobody uses an email address as a primary contact and can still have access to mail from Google or Microsoft if they lose their iPhone. Plus Apple offers in-person customer support where you can physically prove who you are. Being able to communicate or visit the person who can help is important.


Security experts can surely think of a better way.

I just can't help but remember the people who are security experts at big tech or big banking are supposed to be really smart at all of this. Maybe those people really smart people can figure out a better solution while we wait for the inevitable replacement for 2FA through something like spatial awareness. Heck, it could be as simple as a phone call where you provide information nobody else could know. Those smart people can surely figure something out.

I mentioned earlier that it's up to all of us to protect and secure our online identity. We should know all about SIM jacking and man in the middle attacks and all the ways SMS can be compromised. The truth is that most of us don't and think getting a text message is a secure way to protect ourselves. An even sadder truth is that we have to worry about it at all, but that's just how things are. You wouldn't use a barn hasp to lock your car, so don't use SMS to lock your identity.

Stay protected with the best VPNs in 2020

We may earn a commission for purchases using our links. Learn more.

Fresh Surface Duo renders are here, reportedly coming to AT&TFresh Surface Duo renders are here, reportedly coming to AT&T

Fresh Surface Duo renders are here, reportedly coming to AT&T

Microsoft hasn't exactly been camera shy with the Surface Duo, but a new set of renders have leaked that offer an even closer look at the device. Alongside the leaked images, the leaker says Duo will be headed to AT&T in the U.S.

24 hours with the Galaxy Note 20 Ultra: Big, beautiful, and backwards24 hours with the Galaxy Note 20 Ultra: Big, beautiful, and backwards

24 hours with the Galaxy Note 20 Ultra: Big, beautiful, and backwards

It's still too early to give any conclusive thoughts on the Galaxy Note 20 Ultra, but Samsung's latest flagship is already proving to be a tremendous phone in more ways than one.

Everything we know (so far) about the Google Pixel 5Everything we know (so far) about the Google Pixel 5

Everything we know (so far) about the Google Pixel 5

We're still months out from Google unveiling the Pixel 5, but that doesn't mean it's too early to speculate what it might offer. Here's everything we know so far!

Protect your new, huge Note 20 with one of these casesProtect your new, huge Note 20 with one of these cases

Protect your new, huge Note 20 with one of these cases

The Note 20 may not have a glass back, but that doesn't mean you should let to go around in the chaotic world outside naked. Get a good case and protect your new Note 20 in style!

Original Article


Leave a Reply

Your email address will not be published. Required fields are marked *