Stop Using Text Messages for 2FA

Using strong, unique passwords for your online accounts is crucial. But to be truly secure on your most important accounts (which includes email and social media, by the way), you really need a second barrier to entry: two-factor authentication (2FA).

What is two-factor authentication? In a nutshell, 2FA requires you to enter one additional “secret” in order to access your accounts beyond your password. In the cybersecurity biz, we call this “defense in depth”. Bad guys are smart and attacks get more clever as time goes by. Nothing is 100% secure. So adding a second layer of defense, something that requires a totally different attack method to defeat, will greatly increase your overall security.

How Does 2FA Work?

Most two-factor authentication systems require you to enter a PIN code in addition to your password. You’re prompted for your usual login name and password, and then you’re challenged to enter a PIN code. Note that this doesn’t usually happen every time you log in and this challenge behavior is often configurable. For example, if you’re logging in from your home computer, the system may recognize your IP address and not challenge you at all. But if all of a sudden you try to log in from a new device or location, you’ll be asked to enter the 2FA PIN code. This PIN code (unlike your password) changes periodically – that is, it’s only valid for a short time. If you fail to enter it in time, you’ll need to get a fresh PIN code. And after you use the PIN code, it’s no longer valid.

It’s Time to Ditch SMS for 2FA

There are two main ways to obtain your 2FA PIN code today: in a text message (SMS) or from a special smartphone app that produces a time-based one-time password (TOTP). Text messages are a popular choice because it’s the lowest common denominator: most people have a text-capable phone these days. (If not, you can have the system call your landline and read you a PIN code.)

SMS messages have never been super secure. For example, using a technique called SIM swapping, bad guys can effectively clone your cell phone and receive your text messages. But this article from Vice details a new technique for stealing your text messages that is much simpler. With some crafty lies and $16, bad guys can forward your text messages to their phones. [Update: Supposedly, major carriers have addressed this particular issue. But SMS is still not nearly as safe as what I recommend below.]

Switch All Your 2FA to App-Based Codes

Given this, it’s time for everyone to move to using TOTP codes and stop using SMS. If you’ve set up text-based 2FA already with some account, you should check to see if TOTP options are available. Note that it may have changed since you signed up, since many companies are realizing how bad SMS-based PIN codes are and have started offering TOTP. This site will help you find out which services offer 2FA and even give you a link to set it up.

In order to make the switch from text-based 2FA to TOTP-based 2FA, you’ll probably have to go to your security settings on the website and disable 2FA first. Then re-enable it using the TOTP type of authentication. You can read about how to set that up here.

A Few More Thoughts

Note that there are many TOTP apps you can use. Many sites will specifically mention using Google Authenticator, but you don’t have to use that specific app – and in fact, I suggest you don’t (for privacy reasons). I personally prefer Authy (and I’m not alone).

Be sure to back up your 2FA codes, as well. If you lose your phone or just buy a new phone, you’ll need to transfer your 2FA codes or you’ll be in big trouble. You can print off the setup QR codes (which you have to do at the time of setup) and save them somewhere safe. If you use Authy, you can securely back them up to the cloud. Some sites will also offer you some special recovery codes in case you lose your phone – if so, print those off, too.

Note that if you want to share an account with someone (like a spouse), you can both scan the same QR setup code so that both your phones can produce the needed PIN code.