Dennis Hackethal’s Blog
My blog about philosophy, coding, and anything else that interests me.
History of post ‘Don’t Use Text Messages for Two-Factor Authentication’
Versions are sorted from most recent to oldest with the original version at the bottom. Changes are highlighted relative to the next, i.e. older, version underneath. Only changed lines and their surrounding lines are shown, except for the original version, which is shown in full.
Revision 2 · · View this (the most recent) version (v3)
@@ -6,7 +6,7 @@ Two-factor authentication (2FA) adds an additional layer of protection on top of Some services offer text messages as a way to receive 2FA codes. As others have noted, that's a bad idea because text messages can be intercepted. Hackers have contacted cellphone carriers, impersonated customers, and successfully gained access to text messages that aren't theirs, including 2FA codes. Now you're *not* the only one who has those codes. One way hackers pull this attack off is known as a-[swim-swap+[SIM-swap scam](https://en.wikipedia.org/wiki/SIM_swap_scam). The same risk applies to emails, push notifications, and any other method involving the remote generation and subsequent transmission of 2FA codes.
Revision 1 · · View this version (v2)
@@ -1,23 +1,25 @@ # Don’t Use Text Messages for Two-Factor Authentication Two-factor authentication (2FA) adds an additional layer of protection on top of a password. When logging in to some service that you have configured to use 2FA, you are typically prompted to provide your 2FA code after you type in your password. This approach enhances security because that code is something only you have – at least that's the idea. ### The risk of using 2FA based on text messages Some services offer text messages as a way to receive 2FA codes. As others have noted, that's a bad idea because text messages can be intercepted. Hackers have contacted cellphone carriers, impersonated customers, and successfully gained access to text messages that aren't theirs, including 2FA codes. Now you're *not* the only one who has those codes. +One way hackers pull this attack off is known as a [swim-swap scam](https://en.wikipedia.org/wiki/SIM_swap_scam). The same risk applies to emails, push notifications, and any other method involving the remote generation and subsequent transmission of 2FA codes. ### Why authenticator apps are more secure It's better to use an authenticator app. The reason an authenticator app is more secure than text messages is that it doesn't receive any communication from whatever service you're trying to log in to. It instead generates the 2FA code locally, ie [on the device itself](https://hackernoon.com/how-to-implement-google-authenticator-two-factor-auth-in-javascript-091wy3vh3). Thus, no communication can be intercepted during the generation of the 2FA code since no communication occurs at that time. This means that an authenticator app also works without any internet or cell connection on the 2FA device, which is an additional benefit. To reduce the attack vector even further, install the authenticator app on a separate device such as a smartphone, if you have one. In addition, protect access to this app using facial recognition, touch ID, or a PIN. You can find a list of recommended 2FA apps [here](https://www.techradar.com/best/best-authenticator-apps) (but don't use their text, email, or push-notification functionalities!). ### Summary In short, use an authenticator app for 2FA to avoid the interception of remotely generated 2FA codes.
Original · · View this version (v1)
# Don’t Use Text Messages for Two-Factor Authentication Two-factor authentication (2FA) adds an additional layer of protection on top of a password. When logging in to some service that you have configured to use 2FA, you are typically prompted to provide your 2FA code after you type in your password. This approach enhances security because that code is something only you have – at least that's the idea. ### The risk of using 2FA based on text messages Some services offer text messages as a way to receive 2FA codes. As others have noted, that's a bad idea because text messages can be intercepted. Hackers have contacted cellphone carriers, impersonated customers, and successfully gained access to text messages that aren't theirs, including 2FA codes. Now you're *not* the only one who has those codes. The same risk applies to emails, push notifications, and any other method involving the remote generation and subsequent transmission of 2FA codes. ### Why authenticator apps are more secure It's better to use an authenticator app. The reason an authenticator app is more secure than text messages is that it doesn't receive any communication from whatever service you're trying to log in to. It instead generates the 2FA code locally, ie [on the device itself](https://hackernoon.com/how-to-implement-google-authenticator-two-factor-auth-in-javascript-091wy3vh3). Thus, no communication can be intercepted during the generation of the 2FA code since no communication occurs at that time. This means that an authenticator app also works without any internet or cell connection on the 2FA device, which is an additional benefit. To reduce the attack vector even further, install the authenticator app on a separate device such as a smartphone, if you have one. In addition, protect access to this app using facial recognition, touch ID, or a PIN. You can find a list of recommended 2FA apps [here](https://www.techradar.com/best/best-authenticator-apps) (but don't use their text, email, or push-notification functionalities!). ### Summary In short, use an authenticator app for 2FA to avoid the interception of remotely generated 2FA codes.