Using SMS for two-factor authentication offers nothing but a false sense of security.
You must use two-factor authentication for all online accounts you have. It doesn’t matter how rich you are or how famous you are, because everyone has something of value hidden in their online account (although rich and celebrities have to do more to protect their identities). Companies like Google and Facebook give them everything for free because online data is so important.
Using two-factor authentication (2FA) is not an easy task. This is because there must be a barrier to prove that you are really the one who claims to be you. Unfortunately, many people find this barrier too high or too uncomfortable and skip 2FA altogether. I’m not going to stand in the soap box and explain how wrong it is. You know why you should use it and made a decision.
However, there is another problem to choose to secure your 2FA online account to do for people: many companies offer you using SMS to authenticate. This means that the first time you try to log in from a new phone or computer, you’ll receive a text message at the number registered by your company. It sounds simple, but it’s worse or worse than not using 2FA at all due to the false sense of security that 2FA provides.
It’s not really easy to trick your carrier into “stealing” your phone number by giving you a new SIM card. Because it involves persuading others to do what they shouldn’t. But we all know that it happens. Even though SMS interception methods have been around for a long time, intercepting SMS is not easy. However, it is simple and inexpensive to pay your company to reroute SMS messages from one number to another.
Businesses need to deliver SMS messages, but they need some oversight.
There is a legitimate need to reroute SMS messages, such as text messages from a help desk using a business landline phone or virtual number to provide support. The problem is that there are no regulations requiring companies that provide such services to prove they actually own the number to which they are redirected. You just need to fill out the online form, send a few dollars and lie on the application form.
This is a big problem that needs to be addressed soon. Many of us will carry the same phone number with us throughout our lives. Your phone number is part of your identity. I don’t know how to get around this without introducing new laws created by people who don’t know how the technology works. Both options here are bad, so let’s have an expert figure it out.
It’s not difficult to see the tremendous threats to safety and security posed by this kind of attack. The FCC must use its authority to get the phone company to protect the network from hackers. Phi’s approach to industrial self-regulation has clearly failed. — Senator Ron Wyden
But what I can do is stop using the service that only provides SMS as a way for 2FA.
Professionals overseeing the security of banks, retailers, or other services that provide a way to do business online know how bad the use of SMS for 2FA can be. It doesn’t seem to make a difference in many cases, as you can find a lot of other reputable businesses that offer you as your only option. Since it’s easy to use SMS for 2FA, it will cost you to convert your system to use a partially assumed and really secure method.
The authentication app is as easy to use as receiving an SMS code.
It’s equally difficult for many people to make that transition, even when looking for the right services that provide basic security standards. Using SMS is easy and works on any device capable of receiving text messages. We all know how it works. You will receive the code in text, enter the code in the small box, then press Submit. It works on cheap android phones or even stupid phones.
Many people don’t realize that using something like a software-based 2FA authentication app like Google Authenticator, Authy, or Microsoft Authenticator is very easy. Without waiting for code, just open the app and select a service and it will be served immediately.
Other methods, such as using a USB or wireless security key, are fairly easy once you find the right hardware to work with your device, but for most people, using a software authentication app is the right choice. It’s not 100% “hack-resistant”, but it’s not easy to exploit.
It’s worth switching between services to find out which one is interested in your account security.
But switching the way you get the 2FA code is the easy part. What if my bank only uses SMS (or voice calls) for 2FA? Should I change the bank? Yes . And explain why you’re switching because someone in your IT department knows you’re making the right decisions to do so.
The good news is that the most popular services and service providers now offer the option to use certified apps. Amazon, Twitter, Google, Apple, Microsoft, and Facebook allow you to change the way you use authenticator apps or receive codes when setting up 2FA. However, it is possible that the service you need to use is not yet available and only SMS is an option. It’s time to abandon these services and find a service from a company that cares at least a little about your account security.