Security experts recommend using two-factor authentication to secure your online accounts wherever possible. Many services default to SMS verification, sending codes via text message to your phone when you try to sign in. But SMS messages have a lot of security problems, and are the least secure option for two-factor authentication.
First Things First: SMS Is Still Better Than No Two-Factor Authentication at All!
While we’re going to lay out the case against SMS here, it’s important we first make one thing clear: Using SMS is better than not using two-factor authentication at all.
When you don’t use two-factor authentication, someone only needs your password to sign into your account. When you use two-factor authentication with SMS, someone will need to both acquire your password and gain access to your text messages to gain access to your account. SMS is much more secure than nothing at all.
If SMS is your only option, please do use SMS. However, if you’d like to learn why security experts recommend avoiding SMS and what we recommend instead, read on.
SIM Swaps Allow Attackers to Steal Your Phone Number
Here’s how SMS verification works: When you try to sign in, the service sends a text message to the mobile phone number you’ve previously provided them with. You get that code on your phone and enter it to sign in. That code is only good for a single use.
It sounds reasonably secure. After all, only you have your phone number and someone has to have your phone to see the code—right? Unfortunately, no.
If someone knows your phone number and can get access to personal information like the last four digits of your social security number—unfortunately, this be easy to find thanks to the many corporations and government agencies that have leaked customer data—they can contact your phone company and move your phone number to a new phone. This is known as a “SIM swap“, and is the same process you perform when you purchase a new device and move your phone number to it. The person says they’re you, provides the personal data, and your cell phone company sets up their phone with your phone number. They’ll get the SMS message codes…
The post Why You Shouldn’t Use SMS for Two-Factor Authentication (and What to Use Instead) appeared first on FeedBox.