Two-factor authentication (2FA) is one of the best ways to add an extra layer of security to your online accounts. That secret code prevents a whole lot of hacking attempts, and it’s great that many people are using it these days. However, how you get that code is extremely important. If you have been using SMS as I did for the longest time, I have a huge favor to ask you — please stop.
Whether it’s Facebook, Amazon, or PayPal, many of us choose to use SMS for two-factor authentication. But SMS was designed with zero security in mind, and that is why it’s the weakest method of getting that important code. You can even choose a different authentication factor other than SMS codes. Let’s talk about it.
I get the appeal behind using SMS as your preferred 2FA method — it’s unparalleled convenience. There’s no app to download, no settings to manage, and no technical knowledge required. You just provide your phone number, and the code comes to you on a device you always have near you. It doesn’t require an internet connection, and even an old non-smartphone can receive an SMS.
Despite its convenience, usefulness, and universality, SMS has some security gaps. Let me just cover the two biggest ones that should keep you up at night.
The biggest problem with using SMS is that the underlying technology is outdated. It just cannot handle modern security needs because it uses an old transmission protocol called Signaling System No. 7 (SS7), developed in the late 1970s and 1980s. It’s easier to exploit because it was developed at a time when access was limited and everyone using it was trustworthy.
The main problem with SS7 is the lack of cryptographic authentication. To put it simply, the protocol assumes any message in its signaling network is coming from a legitimate source, meaning a hacker who gains access to it — usually through a poorly secured carrier — can transmit malicious commands that track, impersonate, and intercept messages.
It gets worse. The SS7 protocol lacks the end-to-end encryption we take for granted in apps like WhatsApp and iMessage. SMS messages are transmitted as plain text, meaning hackers can intercept messages with the 2FA code and easily read them since they’re not encrypted.
Other than seeing the content of the message, the hackers also have access to the metadata. That means they can see other information like phone numbers, location, and device information attached to the messages.
These days, hackers don’t even need to gain access to the signaling network to hack your account. They can exploit one of the weakest links in any security chain — humans. Hackers can use phishing to trick your carrier into transferring your phone number to a SIM card they own. Afterward, they can receive two-factor authentication codes meant for you, allowing them to access your accounts.
A few simple steps a day keep the hackers and cybercriminals away.
How big a threat is SIM swapping? Well, according to a TransUnion report, around 27% of telecommunications executives in the US consider SIM swapping to be the biggest emerging threat in telecommunication fraud. However, SIM swapping actually ranked second, with synthetic identity fraud (30%) taking first place and device theft (20%) coming in third.
Another problem with SMS that I find annoying, rather than a security flaw, is that it can fail you when you need it most. I remember trying to log into my Amazon account on a different device, and when I tried to send the code via SMS, it never came. Sometimes the code arrives after resending, but after repeated failures, I decided that SMS is not reliable for receiving 2FA codes. I’ve experienced similar issues with PayPal and Payoneer.
This single setting can save your email from being hacked.
Here are safer and more reliable alternatives to SMS for two-factor authentication:
Of course, there are more methods than this. These are just the ones that are relatively easier to set up and offer way more security than SMS.
Using SMS for 2FA makes people complacent because they actually think they’re protected. It works, and that’s all they need to know. However, it’s a huge security risk to rely on technology that hasn’t evolved since the 1970s. We are in the digital age, where threats are rapidly evolving, widening the security gaps of this outdated technology further. It’s time to switch to something better.
We want to hear from you! Share your opinions in the thread below and remember to keep it respectful.
Your comment has not been saved
Unfortunately banks/credit unions use SMS 2 Factor and don’t give you a choice to use other 2FA options