Why You Should Stop Using SMS Two-Factor Authentication [Updated 2023]
Editor's note: This post was originally published on December 7, 2017 and has been revised for clarity and comprehensiveness.
Using two-factor authentication (2FA) to log in to your system is better than using a traditional password alone. But if your 2FA code is sent as a text, it could lead to a costly data breach.
If you’re currently using SMS for your 2FA, you better reconsider.
Intelligent Technical Solutions (ITS) has 20+ years of experience helping hundreds of businesses strengthen their cybersecurity. To further understand why SMS isn’t advisable when choosing a 2FA method, we’ll answer the following questions:
- What is two-factor authentication?
- What are the risks of using SMS two-factor autentication?
- What are better alternative methods to two-factor authentication?
After reading, you’ll know why you shouldn’t use SMS 2FA and find better alternatives to implement in your organization.
What is Two-Factor Authentication (2FA)?
There are three recognized types of authentication factors: something you know, something you have, and something you are.
- Type 1 or something you know includes passwords, personal identification numbers (PINs), code words, or secret handshakes. It is anything that you alone know and can remember.
- Type 2 or something you have is physical objects, such as keys, smartphones, smart cards, USB drives, and other token devices.
- Type 3 or something you are includes any part of the human body that can be used for verification. These include fingerprints, palm scanning, facial recognition, retina scans, and voice verification.
Two-factor authentication combines something you know (a password) with something you have (a phone or token).
In many 2FA setups, a user enters a password along with a single-use numeric code produced by an authentication app. But in some setups, the second factor consists of a temporary authentication code sent to your phone via SMS text message. And that text message, more often than not, presents a weakness that criminals can exploit.
What are the risks of using SMS two-factor authentication?
SMS 2FA may be an easy and convenient authentication method, but the problem is that text messages are usually vulnerable to several attack strategies, such as:
Without a good mobile defense, hackers can easily intercept and read your messages through spoofing or phishing. This is because SMS messages are not encrypted and rely only on the security of phone networks and companies–which are notoriously easy to access.
Another way they can get into your messages is by tricking you into installing malware on your device. Once the bad actor has successfully infiltrated your device, it will start looking for your saved credentials and send the information back to the attacker.
2. SIM Swapping
SIM swapping is a more sophisticated method of attack that gives hackers full control of your phone number.
This is how it’s usually done: a criminal calls or emails your mobile phone service provider and uses your stolen personal data to impersonate you. The criminal then asks the company to send your text messages to a different device, which gives them access to your one-time login codes. They then use those codes to gain immediate access to your system.
3. Social Engineering
Hackers also use a couple of social engineering tricks to get into your network. The most common is pretending to be you to your mobile service provider. They obtain your personal information from other online sources to bypass security questions and request a secondary SIM, claiming the old one was lost or stolen.
When you lose service on your SIM, the hackers will have a free ticket to use your number and request new SMS 2FA at will.
What are alternatives for two-factor authentication?
If you don’t want to risk your network getting compromised, then you should start exploring other methods of 2FA. Some of the more advanced and secure 2FA methods are:
1. Typing biometrics
Typing biometrics is an emerging tool in technology that leverages computational power. The initial enrollment captures your typing pattern and attributes it to you as part of the authentication process. Every time a new authentication is made, the stored hashed pattern is verified against the initial typing pattern, and if the match is successful, you can log in without hassle.
2. Authenticator Apps
Typically, authenticator apps are installed on a smartphone. They will generate a passcode that you can use for logging in, transaction confirmation, or act as a master key.
Authenticator applications provide you with two options:
- You can either receive a notification that someone is trying to access your account, and you can approve or decline verification, or
- You can open the app and see the verification code that updates every thirty seconds and input it into the account you’re accessing.
3. Physical Keys
While some of the most familiar forms of 2FA are a one-time-use code sent through any virtual means, the most secure version is still a physical security key. Users can simply insert the physical key into the device or computer to access critical business information.
Typically a physical key is the best option to protect sensitive accounts and data like banking, insurance, and investment information. However, since it’s tangible, it is prone to misplacement. When using this 2FA method, you should be extra mindful of where to keep it to ensure that no unauthorized access can be made.
Need help implementing two-factor authentication in your network?
There is no doubt that having two-factor authentication is more secure than relying only on passwords. But you should also acknowledge the risks of using certain types of 2FA to ensure that what you have does not put your network on the line. Instead of using SMS 2FA, there are better alternatives:
- Typing biometrics
- Authenticator apps
- Physical keys
ITS is your local expert on computer network security. As a managed cybersecurity provider for twenty years, we’ve been helping small and mid-size businesses set up, maintain, and secure their network. Contact us today to get a FREE network assessment.
You can also refer to these articles to learn more about 2FA and multi-factor authentication (MFA):
- 2FA vs Password Manager
- 3 Types of Cybersecurity Solutions Your Business Must Have
- What Businesses Need to Know About Managed Cybersecurity Services