Security experts recommend using two-factor authentication to secure your online accounts wherever possible. Many services default to SMS verification, sending codes via text message to your phone when you try to sign in. But SMS messages have a lot of security problems, and are the least secure option for two-factor authentication.
First Things First: SMS Is Still Better Than No Two-Factor Authentication at All!
While we’re going to lay out the case against SMS here, it’s important we first make one thing clear: Using SMS is better than not using two-factor authentication at all.
When you don’t use two-factor authentication, someone only needs your password to sign into your account. When you use two-factor authentication with SMS, someone will need to both acquire your password and gain access to your text messages to gain access to your account. SMS is much more secure than nothing at all.
If SMS is your only option, please do use SMS. However, if you’d like to learn why security experts recommend avoiding SMS and what we recommend instead, read on.
SIM Swaps Allow Attackers to Steal Your Phone Number
Here’s how SMS verification works: When you try to sign in, the service sends a text message to the mobile phone number you’ve previously provided them with. You get that code on your phone and enter it to sign in. That code is only good for a single use.
It sounds reasonably secure. After all, only you have your phone number and someone has to have your phone to see the code—right? Unfortunately, no.
If someone knows your phone number and can get access to personal information like the last four digits of your social security number—unfortunately, this be easy to find thanks to the many corporations and government agencies that have leaked customer data—they can contact your phone company and move your phone number to a new phone. This is known as a “SIM swap“, and is the same process you perform when you purchase a new device and move your phone number to it. The person says they’re you, provides the personal data, and your cell phone company sets up their phone with your phone number. They’ll get the SMS message codes sent to your phone number on their phone.
At its core, this is a social engineering attack that relies on tricking your cell phone company. But your cell phone company shouldn’t be able to provide someone with access to your security codes in the first place!
SMS Messages Can Be Intercepted in Many Ways
It’s also possible to snoop on SMS messages. Political dissidents and journalists in repressive countries will want to be careful, as the government could hijack SMS messages as they’re sent through the phone network. This has already happened in Iran, where Iranian hackers reportedly compromised a number of Telegram messenger accounts by intercepting the SMS messages that provided access to those accounts.
Attackers have also abused problems in SS7, the connection system used for roaming, to intercept SMS messages on the network and route them elsewhere. There are many other ways messages can be intercepted, including through the use of fake cell phone towers. SMS messages weren’t designed for security, and shouldn’t be used for it.
In other words, a sophisticated attacker with a bit of personal information could hijack your phone number to gain access to your online accounts and then use those accounts to attempt to drain your bank accounts, for example. That’s why the National Institute of Standards and Technology is no longer recommending the use of SMS messages for two-factor authentication.
The Alternative: Generate Codes on Your Device
A two-factor authentication scheme that doesn’t rely on SMS is superior, because the cell phone company won’t be able to give someone else access to your codes. The most popular option for this is an app like Google Authenticator. However, we recommend Authy, since it does everything Google Authenticator does and more.
Apps like this generate codes on your device. Even if an attacker tricked your cell phone company into moving your phone number to their phone, they wouldn’t be able to get your security codes. The data needed to generate those codes would remain securely on your phone.
You don’t have to use codes, either. Services like Twitter, Google, and Microsoft are testing app-based two factor authentication that allows you to sign in on another device by authorizing the sign-in in their app on your phone.
There are also physical hardware tokens you can use. Big companies like Google and Dropbox have already implemented a new standard for hardware-based two-factor authentication tokens named U2F. These are all more secure than relying on your cell phone company and the outdated telephone network.
If possible, avoid SMS for two-factor authentication. It’s better than nothing and seems convenient, but it’s usually the least secure two-factor authentication scheme you can choose.
Unfortunately, some services force you to use SMS. If you’re worried about this, you could create a Google Voice phone number and give it to services that require SMS authentication. You could then sign into your Google account—which you can protect with a more secure two-factor authentication method—and see the secure messages in the Google Voice website or app. Just don’t forward messages from Google Voice to your actual cell phone number.