Technology in terms you understand. Sign up for my weekly newsletter, "Confident Computing", for more solutions you can use to make your life easier. Click here.

Why SMS Two-Factor Is Better than No Two-Factor at All

In recent weeks, there have been reports of flaws in the SMS (text messaging) protocols that allow attackers to essentially hijack SMS two-factor authentication for accounts they’ve targeted.

This is causing many people to avoid two-factor authentication altogether when SMS is the only option available.

I believe that’s a serious mistake. SMS-based two-factor authentication is still better than no two-factor authentication at all.

Become a Patron of Ask Leo! and go ad-free!

Better than SMS

Since SMS does have its flaws, I want to start by pointing out that if you have an option, there are better and more flexible alternatives for two-factor authentication, including Google Authenticator, Authy, email authentication, and more.

Google Authenticator

This smartphone application generates a code that changes every 30 seconds. When you set up this kind of two-factor authentication, you establish a cryptographically secure pairing between an online service and your phone. When two-factor is used, you simply enter the code currently displayed on your phone when asked. As a bonus, no connectivity is required when using Google Authenticator. Once established, the application runs independently on your device, and as long as the time is set correctly, it just works.

I use Google Authenticator style two-factor whenever possible, but I no longer use the Google Authenticator application. The single biggest problem is that moving to a new phone1 is extremely painful, involving turning two-factor off for each account and then reestablishing it on the new device. Instead, I use the free Authy app. You can use Authy anywhere Google Authenticator is supported. It allows you to “back up” your two-factor configuration, making it easy to move to other devices. You can even use Authy from your desktop, without reaching for your phone at all.

Whenever it’s an option, I enable two-factor authentication using Authy. I currently have 14 different accounts set up this way.

Email

Many services opt for a form of two-factor authentication based on email. When you log in, they send an email message to the email address of record, containing a link you must click to complete the log-in process. The “second factor” is your ability to access that email account.

I’ve seen some services use this technique to actually bypass the password requirement completely, relying on your email address being correct, your email account being secure, and your ability to click the link sent to it to verify you are who you say you are.

The problem, of course, is that this requires the ability to access your email. It’s also not something that can be used as a second factor on your email account, unless it uses a different email address — your “alternate” email address — as the second factor.

Sometimes email can be delayed. If you’re waiting to log in to some service, that delay can be annoying, and at worst can be long enough to invalidate the attempt.

But as long as your email account itself is secure, it’s a perfectly valid way to set up a form of two-factor authentication.

SMS text messaging

2FA using SMSWhen using text messaging for two-factor authentication, you’re texted a code you must enter to complete the log-in process. It’s quick, it’s convenient, and it doesn’t require data connectivity (or even a smartphone). Any device capable of receiving a text message can be used. This technique also transfers to your new phone automatically when you transfer your mobile number to the new device.

SMS two-factor authentication confirms you are in possession of your configured second factor: the device associated with your mobile number…

… except when it’s been intercepted. Here’s where things get complicated.

SMS: the exploit

In order for SMS two-factor to be compromised, three things have to happen:

  • The attacker needs to know your username and password.
  • The attacker needs to know your mobile number.
  • The attacker needs access to a phone company. 🙂

The Naked Security Blog’s article, “Bank accounts raided after crooks exploit huge flaw in mobile networks“, describes how hackers got the first two items via fairly traditional means:

…hackers sent conventional fake phishing emails to victims, suckering them into visiting fake bank websites, where they were told to enter account numbers, passwords and the mobile phone numbers they had previously given their banks.

Accomplishing the third item was a little less traditional:

…the attackers “purchased access to a rogue telecommunications provider and set up a redirect for the victim’s mobile phone number to a handset controlled by the attackers.”

Purchased access to a rogue phone company? Clearly possible, but not the most common scenario around, by far.

SMS: still better than nothing

Let’s say you’ve decided that SMS isn’t secure (because, as we’ve seen, it isn’t completely secure). Further, let’s say your bank or other account provider only offers SMS-based two-factor authentication (they should offer alternatives, but I know some don’t).

So you elect not to use SMS at all.

Here’s the requirement for your account to be hacked:

  • The attacker needs to know your username and password.

That’s it. You’ve made it easier for hackers to access your account.

Even though it’s flawed, adding SMS two-factor authentication is better than nothing, because it puts an additional barrier in place that the hacker must be motivated and able to cross in order to access your account. Most aren’t motivated, opting instead for the low-hanging fruit of other accounts with compromised passwords, and most aren’t able. Where does one go to purchase access to a rogue telephone company, anyway?

2FA: still your best defense

Note that with two-factor authentication, hackers can’t access your account even if they know your password.

I strongly recommend using two-factor in one form or another, be it Google Authenticator, Authy, email, SMS, or something else.

In a world of malware, phishing, assorted database compromises, and other perils, two-factor authentication remains a critical way to keep your most important accounts secure.

And maybe even some of those not-so important accounts as well.

Podcast audio

Play

Footnotes & references

1: Which I did, three times in the space of a couple of months, during the Galaxy Note 7 debacle.

29 comments on “Why SMS Two-Factor Is Better than No Two-Factor at All”

  1. I am not a fan of two factor authentication because I like to be able to move in and out of websites very quickly, which LastPass lets me do. So I do have very strong passwords that get changed on a regular basis. When I do have to do 2FA, I prefer E-mail since it is quick to copy and paste. My bank recently switched to texting, and it significantly slows me down.

    Are all 2FA sites capable of linking with Google authenticator or Authy or Lastpass’s one, or does the website specifically need it?

    • It’s something that the site has to support. For what it’s worth, I RARELY actually have to supply my 2FA when I use my computer here at home. MOST sites have the ability to “never ask for codes on this machine again”, which usually lasts until you clear cookies.

      • So my bank (Capital Bank-US in NC, SC, TN, FL) requests a new 2FA if a different account logged in using that computer since the last login. So if I login to my account, log out, and log back in to my account, it won’t ask me for 2FA. However, if I login to my bank account, logout, and log into my wife’s, it will ask for 2FA. Then if logout of my wife’s bank account, and log back into my own bank account, it will ask for 2FA on me again. They just implemented this in November 2016 with their new website upgrade. One reason was they had some fraud, so I don’t think feedback will remove it.

        • Doesn’t surprise me too much. My bank allows me to go back and forth – it apparently keeps the “don’t ask” state for each account I might use.

          I think most people use a single account, and that’s the case that the banks are optimizing for, especially at first.

  2. I’ve held off this comment for a few days to give me time to look at how the hack works.

    Given the fact that the attacker needs to know your username and password, your mobile number, and access to a phone company, it seems highly unlikely that you will fall victim to this unless you respond to a phishing email or text message which is the only way for a stranger to get your username, password AND phone number, unless it was a person you knew performing the hack. And I doubt if anyone reading this has a “friend” with access to a phone company. That would take a sophisticated organization.

    Bottom line: don’t ever respond to a phishing email or text message (in other words, don’t click on a link or phone a number which purports to be from your bank or other website requiring a logon. Enter the web address that you know to be from that institution and log on to see if you have any alerts), and you should be safe using SMS 2 factor authentication.

    Additionally, I would expect banks and big name email providers to be working on hardening their defenses against this kind of attack.

  3. Hi Leo,
    You specifically stated in your report regarding SMS text messaging “and it doesn’t require data connectivity or even a smartphone.” My wife and I have two dumb flip cell phones ” AARP Consumer Cellular” unlimited calling anywhere in the USA for $34.00 per month – No internet and no texting – voice only. So are you saying that if I opted for 2FA the website could still send me a text message even though I did not pay for a texting plan?
    Thanks for all your help in the past!
    Mike 🙂

    • Some websites allow for the generation of an automated phone call with a code that then gets typed in by you. It works, but it can be a bit slower than the other methods. Personally, I think it is highly likely to have my password and username stolen either via a phishing attempt or because the companies storing them are often very sloppy. I used to work for a fairly large company and password and usernames were very easy to obtain, if I had wanted to. Many people at these organizations could have access to your username/password. Some of the more recent phishing attacks have been very sophisticated, like the Google Drive attack last week. I’m hoping this drives further security innovation that will get rid of the need for passwords! Some sort of universal Yubikey like device seems plausible, if only organizations would get together and support something. The current 2FA implementation is fractured and awkward.

    • If you don’t have a texting plan, you should still be able to receive a text, but it’s possible you might have to pay a few cents to receive it. You can check that with your provider or look it up on their web site.

  4. For me there are two main risks-
    The first risk is having my password stolen / account hijacked.
    The other primary risk is being unable to get into my account because my phone breaks / I somehow lose access to my second factor.
    Losing access is a very significant risk and probably much more likely.

    • SMS is great for that because it transfers automatically to your new phone. And MOST accounts also have backup codes or techniques to account for lost second factors.

  5. Leo,

    Thanks once again for a clear, timely and much needed article. Has it been triggered by NIST’s new guidelines for US government sites, which state that 2FA through SMS is no longer secure ? This article seems to state that the “own a phone company” attack is not the only one threatening SMS security :

    https://nakedsecurity.sophos.com/2016/08/18/nists-new-password-rules-what-you-need-to-know

    My bank is about to impose SMS-based 2FA, dumping its present paper and snail-mail-based 2FA (yes… they send you a printed list of one-time codes through the post, and send you a fresh one when you are getting close to the end of the list…). My first reaction, given the current scare about SMS attacks, was that maybe this would reduce security, rather than the other way round. What do you think ?

      • Clairvaux’ question is a little different. It’s not whether SMS 2FA is better than nothing. Here in Europe, most banks sent out a paper list of a hundred or two hundred one time TANs (Transaction Authorization Numbers) for 2FA . When making a transaction, the web page would ask for a specifically numbered TAN. Now many banks are switching over to mobile TANs and discontinuing the paper TAN list. The advantage of mobile TANs is that you don’t have a paper laying around the house or even worse, carrying it around with you. Personally I scan, OCR and encrypt the list, because that paper list is quite vulnerable. For most people SMS is probably more secure. When I travel I keep my SIM card in a spare phone. Receiving the SMS is free. In my case, I’d consider the paper TANs more secure as I burn after reading, but for the majority, mobile TANs would be more secure, especially if you travel and take the paper with you. And if you don’t respond to emails from your bank (which might be phishing attempts), SMS should be a safe method to receive your TANs.

        • Thank you. Yes, it’s an European bank. I’m not sure most European banks have this paper system, though. In fact, I’m positively scared by the (apparently, to me) low-level access security of many sensitive institutions such as banks or official sites in my country (I’m not naming it for obvious reasons).

  6. My bank (actually a credit union) allows me to request a phone call. They call the phone number they have on record, I answer the call, and enter the code into the onscreen prompt.

    Please confirm that a voice phone call is not at risk for this exploit. Thanks!

    • It would seem that it’s just as vulnerable, albeit less likely since it’s not used as often. That requirement to “gain access to a telephone company” enables most any telephone-related hacking I would expect.

      That being said, it’s STILL MORE SECURE than nothing at all. And, because it’s less common, probably more secure than SMS.

  7. I’m trying to setup Authy for Facebook. I turned 2FA on in Facebook however it’s not showing me any options for authentication methods, just a note that “Two-factor authentication is on”. Any thoughts?

    • On the web site go to options, security and login, then scroll down to “setting up extra security” click on “Use two factor authentication” – you should be presented with a list of options.

  8. It is not correct to say you can’t transfer your current Google Authenticator setup to another phone, I have done it twice, albeit with iPhones. It does require you to backup your old phone to ITunes and for that backup to be encrypted. You then restore that backup to your new iPhone and voila Google Authenticator on your new phone working without having to reestablish each individual account.

    • Another approach is to screenshot the QR code when you first set up two-factor. That must be kept securely of course. But it’s not something that can be done after the fact.

      • Although your reply-back specifically addresses a Google Authenticator post, I would like to piggyback because it seems that the basic principle could/should be applied to Authy but for different reason. I may be mistaken or overthinking, and welcome your input.

        Best practices dictate that Google Authenticator QR codes (or key codes) should first be snapshotted/encrypted/locally.

        Wouldn’t best practices dictate that Authy QR codes (or key codes) should also first be snapshotted/encrypted/locally? Otherwise (assuming the Authy user chooses to use the backup/restore/sync feature) they would exist only in the cloud where there are no 100% guarantees. For instance, point-in-time need of server access [ one of AWS services had a hiccup in past several months, totally unrelated to Authy accounts and I have no knowledge of what cloud provider(s) Twilio/Authy uses, but a reminder that stuff can/does happen ]. There is also the matter of file corruption, which I experienced years ago with an online service. In that incident I had access to version history which was enough to bail me out. I did not have local backup as a safety net, so that was a good learning experience about the need for local backups [ I seriously doubt that Twilio/Authy, for good reason, would provide versioning level of support for free ‘Authy app’ users ].

        • Not sure I’d call it best practices, but yes, if you use Google Authenticator it can be useful to snapshot and securely save the QR code. This can make moving to a new phone significantly less daunting. But that’s one reason I use Authy, myself, and let it back up to the cloud. While a save of the QR code is absolutely an additional safety net, I don’t really feel the need with Authy, since it does make switching devices much more tolerable. (And I absolutely save additional recovery or one-time codes for every service that provides them in case my auth device is lost and/or I can’t recover it.)

  9. Subsequent to lots of reading/thinking here at Ask Leo! and the Authy site and still not having overall comfort level to choose Authy, one day I switched to doing further research at the parent company’s Twilio site. [ Twilio acquired Authy in 2016, located in San Francisco, and provides global communications services. ] The Authy site is great for learning about the mobile app and some of the intricacies involved, but there was very little to do with corporate-level security practices which I was also interested in. The Twilio site provided information that greatly helped me make my decision.

    Below, I am listing four pseudo-urls in case they May Be Helpful to Someone Else:

    https://status dot twilio dot com
    [ Provides real-time information about status of services (search for ‘Authy’). Scroll further to see short list of past incidents. ]

    https://twitter dot com/TwilioStatus
    [ Provides statuses/incidents for as far back as you want to scroll (search for ‘Authy’). Most recent outage dated May 25, 2018: ‘We are currently experiencing delays in email delivery for phone change and account recovery requests for the Authy product’). ]

    https://www dot twilio dot com/legal/privacy/authy (last updated May 7, 2018)
    [ This is *not* your typical legalese document, so don’t be put off by the pathname. The document offers insights, practical guidance on how the end user can best protect their account, and basic explanation of some of the protections and backend heuristics used to detect suspicious Authy account activity. It also explains why it is a good idea to include email address on your account (main reason: ‘compromised account has been detected’). Ignore the ‘Authy API’ sections IF you use the Authy Mobile and/or Desktop app or Chrome extension. Learn about the ‘log’ YOU should keep: any account email changes, any IP address changes but the document does not mention anything about dynamic IP addresses with same ISP but something to consider logging just in case, although I am not familiar with how mobile IP addresses work since I have yet to use a mobile device). This log should be kept up-to-date, as it could be critical to your being better positioned, under certain conditions, to being bailed out by Support to get back into a compromised account. Finally, it always comes down to trusting your service provider. ]

    https://www dot authy dot com/phones/change/
    [ This ‘Request to Change Your Phone Number’ page offers a lot more than clicking the ‘CONTINUE’ button to proceed. It provides a very important 4-point triage checkoff list. In so doing, you may not have to make the request after all. This list does the thinking for you and prevents you from easily making a mistake that could cost your seriously. ]

  10. After I received a phishing message from “Verizon”, I recently contacted the real Verizon to ask them to set up 2FA on my account. The response was to turn on one of those stupid “second password” deals where they ask you your favorite childhood pet or some such nonsense, claiming it was even better than 2FA. Perhaps it falls into the category of “better than nothing”, but it really isn’t much better, being subject to the same sorts of phishing scams.

    • Better than nothing? I suppose. But definitely on the way out since to many of the answers to those questions are common knowledge or easily mined from social media and elsewhere. I do NOT consider the a “second factor”.

    • Actually, if you pick a good answer which is as complex as a second password, it’s probably almost as good as using a second factor or at least another pretty good level of protection. As for phishing, you just have to be aware that if it doesn’t ask you the security question in addition to other signs of phishing, then it’s a phishing attempt.

  11. I’ve kept my mobile phone number for a long time, but I know some people seem to change their number every time they change their phone. This then presents a lock out situation when they realize (a bit too late), that any authentication working through their old phone number will not work now.

    Maybe you can publish some warnings on that scenario.

  12. Leo (& Banff), Thanks for the information about Authy. I presently use Google Authenticator. If you have not taken note of QR codes & other forms of the shared secret it really is a painful process to re-establish Authenticator on a new device. I will give Authy a closer look.

Leave a reply:

Before commenting please:

  • Read the article. Comments indicating you've not read the article will be removed.
  • Comment on the article. New question? Start with search, at the top of the page. Off-topic comments will be removed.
  • No personal information. Email addresses, phone numbers and such will be removed.
  • Add to the discussion. Comments that do not — typically off-topic or content-free comments — will be removed.

All comments containing links will be moderated before publication. Anything that looks the least bit like spam will be removed.

I want comments to be valuable for everyone, including those who come later and take the time to read.