Why you should enable two-factor authentication everywhere, just not on SMS
Two-factor authentication, also known as 2FA, is a good thing. It helps to protect your online accounts, by requiring both a passcode and a temporary code that’s sent to your mobile phone, in order to log in.
That way, even if someone steals your password, they still can’t log into your account if they don’t possess your mobile and the code.
Passwords can be easily stolen. They can be sniffed through the air if you use public Wi-Fi and an unencrypted connection to the website. They can be brute-forced from stolen databases, like Yahoo’s one billion user breach. And if you use the same password across multiple sites, all you need is a single breach and an attacker can get access to more accounts.
Where possible, however, I also recommend you not use 2FA through SMS. That’s because messages can be hijacked and redirected to an attacker’s mobile phone instead of yours. For years, this was theoretically possible, but recently a group of thieves has actually exploited this weakness to empty victims’ bank accounts in Germany.
Similar to bank accounts in Singapore, German banks require that online banking customers need to get a code sent to their phone before transactions are approved. In this case, the attackers infected their victims’ computers with malware and collected their bank account details, including login passwords, and their mobile number.
They then purchased access to a rogue telecommunications provider, which let them redirect the victim’s mobile phone messages to their own mobile phones. This gave them access to the 2FA codes.
So what should you do instead?
Many sites nowadays also offer 2FA authentication through apps like Authy. By scanning a QR code, the site and Authy create a time-based ‘secret key,’ and the app can then generate temporary 2FA codes for you to log into your account, even when you don’t have a data connection on your smartphone.
Google, Facebook, and Twitter are among the popular sites that offer this option. So instead of having codes sent to your mobile phone through SMS, they’re generated on your device. Even if attackers redirect your messages, they still won’t get the login codes.
There’s another advantage to using an app to generate a 2FA code instead of relying on SMS. I was once locked out of my Google account in the UK, when I didn’t get my 2FA message from Google. With a quick Google search, I discovered that Google didn’t send overseas messages for 2FA. I’m not sure if they’ve changed their policy, but I don’t have to worry now that I’ve switched over to using an app.
If you use 1Password like I do, things get even easier. 1Password can be used as an authenticator for 2FA, so I get codes inside my password manager instead of a separate app, making logins easier.
When you sign up for 2FA, you’ll usually be presented with a list of backup codes. I strongly suggest you save these codes somewhere secure. You can use these codes to sign in, if, for some reason, you can’t get a 2FA code, like when I was locked out in the UK.
Is using 2FA more troublesome than not using it? Yes, of course, it is. But convenience is always in a tug of war with security, and when it comes to valuable accounts like your email, I’d recommend you err on the side of security more often than not.