Dennis Hackethal’s Blog

My blog about philosophy, coding, and anything else that interests me.

Don’t Use Text Messages for Two-Factor Authentication

Published · 1-minute read

Two-factor authentication (2FA) adds an additional layer of protection on top of a password. When logging in to some service that you have configured to use 2FA, you are typically prompted to provide your 2FA code after you type in your password. This approach enhances security because that code is something only you have – at least that's the idea.

The risk of using 2FA based on text messages

Some services offer text messages as a way to receive 2FA codes. As others have noted, that's a bad idea because text messages can be intercepted. Hackers have contacted cellphone carriers, impersonated customers, and successfully gained access to text messages that aren't theirs, including 2FA codes. Now you're not the only one who has those codes.

The same risk applies to emails, push notifications, and any other method involving the remote generation and subsequent transmission of 2FA codes.

Why authenticator apps are more secure

It's better to use an authenticator app.

The reason an authenticator app is more secure than text messages is that it doesn't receive any communication from whatever service you're trying to log in to. It instead generates the 2FA code locally, ie on the device itself. Thus, no communication can be intercepted during the generation of the 2FA code since no communication occurs at that time. This means that an authenticator app also works without any internet or cell connection on the 2FA device, which is an additional benefit.

To reduce the attack vector even further, install the authenticator app on a separate device such as a smartphone, if you have one. In addition, protect access to this app using facial recognition, touch ID, or a PIN.

You can find a list of recommended 2FA apps here (but don't use their text, email, or push-notification functionalities!).

Summary

In short, use an authenticator app for 2FA to avoid the interception of remotely generated 2FA codes.


What people are saying

What are your thoughts?

You are responding to comment #. Clear
Your real name is preferred.
Markdown supported. cmd + enter to comment. You are responsible for what you write. Terms, privacy policy
This small puzzle helps protect the blog against automated spam.

Preview