SMS two-factor authentication is still better than nothing.
I keep hearing from people telling me that using SMS text messaging for two-factor authentication is broken, risky, not secure, and so on.
They’re not wrong.
But here’s the thing: as broken as it may be, if it’s the only two-factor option available, you’re safer using it anyway.
Become a Patron of Ask Leo! and go ad-free!
Recently publicized exploits in SMS messaging do cause concern, and if you have the ability to use alternative forms of two-factor authentication, you should. Regardless, even with known exploits, using SMS for two-factor authentication remains more secure than not using two-factor authentication at all.
The latest break
A recent story at Vice.com — ”A Hacker Got All My Texts for $16“ — points out several flaws in the text-messaging ecosystem.
The most well-known issue, “SIM swapping”, is nothing new. It’s a kind of social engineering where a hacker impersonates you and has your mobile number moved to their device. Then they get all your calls and texts.
It’s unclear how successful the technique is. Given that it’s based on a hacker’s ability to fool a customer service representative, I imagine the success rate varies widely.
Apparently, there’s an easier hack only recently making the news.
There are legitimate services used by various businesses to redirect text messages from one number to another. In theory, they confirm it’s legitimate and gain the permission of the owner of the number being redirected.
In practice, it looks like they don’t.
It seems anyone can sign up and get your text messages to be redirected to their device. Unlike SIM swapping, where suddenly your mobile stops working, there is no indication to you that anything is wrong.
Hopefully, the recent publicity will cause these services to become a little stricter. Unfortunately, I expect there’ll always be one or more services that don’t. The door on this vulnerability may be closing, but it’ll never shut completely without either legislation1 or major changes to the underlying SMS technology.
And yet, I still recommend using SMS in some circumstances.
Some is better than none
Let’s say you’re at your local bank and a robber enters, wielding a gun and shooting.
Do you hide behind a nearby desk, or do you freeze and remain an obvious target for the gunman to shoot? You dive behind that desk, of course.
Now, what if I told you the desk will stop only 50% of the bullets commonly used by bank robbers? Depending on the ammunition the bad guy happened to bring that day, the desk you’re hiding behind may or may not protect you if he targets you.
Do you still hide behind that desk, or do you now decide to remain standing, since the desk is less than 100% effective? Of course you hide! Hiding gives you a 50/50 chance of being protected from the gunman’s bullet. Standing up? Zero percent. If he targets you, you’re hit.
SMS two-factor is like that desk, except that it protects you much better than a 50/50 coin flip.
What it takes to get shot hacked
If you have SMS two-factor authentication enabled on your account, here’s what a hacker needs to do to be successful:
- Know your username/login ID.
- Know your password.
- Know your mobile number.
- Intercept the SMS messages sent to your number.
If any one of those is false, the hacker can’t hack. All four must be true for a hacker to be successful.
If you don’t have two-factor enabled, the hacker needs to:
- Know your username/login ID.
- Know your password.
That’s it. Simply knowing those two things is enough to sign in as you and gain access to your account.
As broken as it might be, SMS two-factor is still better than that.
Use better alternatives, when you can
One of my financial institutions offers to send me a confirmation code by SMS to my cell phone or via email. Email is a more secure choice. It’s slower, but the security of financial accounts is worth the wait.
Another institution offers only text-messaging for that code. I still use it, because requiring that code is still safer than not needing it at all. Besides, it’s extremely unlikely that someone would target me or my phone. Possible, yes, but very unlikely.
Nonetheless, if your provider offers other alternatives to two-factor authentication besides SMS text messaging, then I recommend you strongly consider using one of those instead.
Better alternatives include:
- Google Authenticator-compatible smartphone apps.
- Email notification.
- Account-specific key fobs that display a changing number.
- Hardware devices like YubiKey.
But, perhaps to belabor the point, if all they offer is SMS two-factor authentication, then use SMS two-factor authentication.
It’s still better than no two-factor authentication at all.
Do this
Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.
I'll see you there!
Podcast audio
Related Video
Footnotes & References
1: Even then, when redirects are outlawed, outlaws will still have redirects.
To me, this is just another scare subject. The story on Vice has appeared in other places, as well. Yes, it is possible to do this sort of hack but the hacker would first have to know my number and then know which accounts I have and what the login information is for each account. I know hackers can be industrious, but still seems to be a lot of information to sift through. Like looking for one particular needle in a boatload of needles. I’d guess it would be more useful to someone who was targeting a specific individual and had background information about the target.
If I was the subject of this type of attack, the hackers wouldn’t really get much. I don’t do much texting and they’d be welcome to all the spam messages that I usually see popping up on my phone.
I use Lastpass and when I can, I do not use my email address as my user name. If 2FA is required I use either a Yubikey or authenticator app as my first choice or setup both text and email when I can’t.
Yes, it would require a targeted attack. In addition to what you mentioned, the hacker would have to know the password to that person’s account they are hacking and then target that person’s phone. I’d estimate the SMS second factor gives you over 99.999999% protection. (I made that number up but I feel pretty confident about it)
Leo –
Hi. I’ve always wondered if our login ID should be treated as a second password. So it was interesting to see you list in the article that “know your username/login ID” as one of the four things a hacker needs to do in order to successfully hack a 2FA-enabled account.
So, should our login ID be long and hard to guess just like our password, or would that be a waste of time?
Thanks.
I’ve actually just drafted an article on that topic that should appear in the coming weeks. The short version is: probably not. It’s not always possible, or practical, adds complexity, and doesn’t really add a lot of security.
A couple of my financial institutions will telephone and give the 2FA code by automated voice. I have them call my – wait for it – landline, which has an answering device. This means I could call in for it when overseas and using a local SIM card in my cell phone. I prefer email notices and use email if it is on offer.
As to what is the best 2FA when no physical device (e.g. a YubiKey) is available, then in order from best to worst how do you rank a landline, an SMS to a “theoretically” somewhat secure smartphone, or a message to one’s online email account. Given my lack of expertise, I have ordered them as I suspect them to be best to worst.
I’m confused. I’ve provided exactly this list in the article above. Am I missing something?
Did you consider the forgotten password scenario? When you click forgotten password in gmail for example, you get a text message sent as SMS if the SMS 2 factor auth is enabled, and if you have access to that SMS, you’re in. You don’t need to know the password. Then it’s no longer a 2 factor auth, it’s essentially a full trust in the SMS. To me, that doesn’t sound more secure that a unique randomly generated strong password.
Typically you need to provide additional info — showing that you at least know the recovery email address, or some other piece of information. It’s still two-factor. It’s still safer than no two-factor at all.