In a quest for perfect security, the perfect is the enemy of the good. People are criticizing SMS-based two-factor authentication in the wake of the Reddit hack, but using SMS-based two factor is still much better than not using two-factor authentication at all.
Over 90% of Gmail Users Aren’t Using Two-Factor Authentication
Security professionals who talk about SMS verification not being good enough are getting too far ahead of themselves. Over 90% of Gmail users aren’t using any two-factor authentication at all, according to a presentation Google engineer Grzegorz Milka gave at USENIX Enigma 2018. The number one thing most people can do to protect themselves online is to enable any type of two-factor authentication for their important accounts.
Think of it like this. Say you want to put a lock on your front door to protect your home. Security professionals are arguing about that the best type of lock available is way better than cheaper locks. Sure, makes sense. But if that more expensive lock isn’t available to you, isn’t having a cheaper lock still better than not having a lock at all?
Yes, app-based two factor authentication is better than SMS-based authentication. But, if SMS is all a service offers, it’s still better than not using it at all.
SMS-based two factor has some weaknesses, but that’s missing the point. An attacker will have to spend time bypassing your SMS verification. And most targets probably aren’t worth that much effort.
Why You Need Two-Factor Authentication
Two-factor authentication is named that because it requires you to have two things to get into your account: something you know (your password) and something you have (an additional security code from your mobile device or a physical token).
When you enable SMS-based two factor authentication, the service will send your mobile phone number a text message containing a one-time code whenever you sign in from a new device. So, even if someone has your username and password for that account, they won’t be able to sign into your account without access to your text messages.
Any type of two-factor authentication provides a huge amount of protection for important accounts like your email, social media, and bank accounts. This is especially true if you re-use passwords. Many people re-use passwords at multiple websites and, when one website’s password database leaks, that password can be used to sign into their email accounts. Two-factor authentication would stop this right in its tracks.
That doesn’t mean you should re-use passwords. You should not re-use passwords. You should use a good password manager to keep track of strong, unique passwords.
Why Do People Say SMS Authentication is Bad?
SMS-based two-factor authentication isn’t considered ideal because someone could steal your phone number or intercept your text messages. For example:
- An attacker could impersonate you and move your phone number to a new phone in a phone number porting scam. This is the most likely attack.
- An attacker could intercept SMS messages intended for you. For example, they could spoof a cell tower near you, or a government could use its access to the cellular network to forward messages.
That’s why experts recommend using another two-factor method, one that can’t be as easily abused by nation states and isn’t vulnerable if your cellular carrier gives your phone number to someone else. If you get your code from an app on your phone or a physical security key you plug in, your two-factor isn’t vulnerable to issues with the phone network. The attacker would need your unlocked phone or the physical security key you have to sign in.
Sure, in a perfect world, SMS isn’t the ideal solution. We’ve explained why security experts don’t like SMS-based two-step authentication. But, even when we laid out that case, we tried to make one thing clear: SMS-based two-factor authentication is much, much better than nothing.
Some People Need More Security Than SMS Provides
The average person is fine with SMS-based authentication for now. SMS-based authentication makes attackers go through a lot of extra trouble to get into your account, and you’re probably not worth their trouble when there are other easier and juicier targets out there. Most people don’t even use SMS authentication, and the web would be a much more secure place if everyone did.
People who are likely to be targeted by sophisticated attackers should avoid SMS-based authentication. For example, if you’re a politician, journalist, celebrity, or business leader, you could be targeted. If you’re a person with access to sensitive corporate data, a system administrator with deep access to sensitive systems, or just someone with a lot of money in the bank, SMS may be too risky.
But, if you’re the average person with a Gmail or Facebook account and no one has a reason to spend a bunch of time getting access to your accounts, SMS authentication is fine and you should absolutely enable it rather than using nothing at all.
You’re Only As Secure As the Weakest Link
Here’s another unfortunate truth that everyone seems to gloss over: Even if you avoid SMS-based two-factor authentication for an account, SMS is probably available as a fallback method. For example, even if you generate codes with an app to sign into your Google account, you can recover your account using your phone number. This is to protect you if you ever lose access to your two-factor phone or token.
In other words, many—probably even most—services let you get into your account with your phone number, even if you use an app-generated code or a physical security key most of the time. You’re only as secure as the weakest link in the system. Try checking the other ways you can sign in if you don’t have your normal method.
That’s why, to really lock down a Google account, you don’t just need to avoid SMS-based two-step authentication. You also need to enroll in Google’s Advanced Protection Program, which is Google advertises for “journalists, activists, business leaders, and political campaign teams.” This free program requires you use a physical security key to sign in, but it also demands much more information to recover your account.
Please Use SMS If You’re Not Using 2FA Right Now
We don’t want to lull you into a false sense of security: If you’re someone likely to be targeted by foreign governments, corporate spies, or organized criminals, you absolutely should avoid SMS-based two-factor authentication and lock down your accounts with something more secure.
But, if you’re the average person who hasn’t enabled two-factor authentication yet, don’t be dissuaded: SMS-based two factor will make you a lot more secure than no two-factor at all. It’s an important baseline for security.
Everyone should use SMS verification unless they’re using something better.
Image Credit: golubovystock/Shutterstock.com.