Login (in)security: SMS 2FA?

My wife gets annoyed at two-factor authentication (2FA). You know, that extra step of typing in a code after you type in your password? It’s a smart security feature and you should use it. Even if it’s annoying.

That said, you should avoid using SMS (text messages) for this if at all possible. Why? Because it’s easy for someone who’s savvy enough to hijack a phone number and receive text messages through another system other than your phone.

I’ve seen this happen non-nefariously. We use Dialpad for our phone service at The Universal Design Project. We have a secondary number that I recently set up to use for mass texting through Textiful.

It was eye-opening. I signed an agreement to allow Textiful to use this number and that was all that was necessary. They did some sort of sorcery on their end that redirected all texts to go through their system. I didn’t release the number or port it out of Dialpad. I didn’t change any settings. In fact, if you call the number, it still rings through Dialpad. But if you text it, the texts go through Textiful.

Lesson learned: phone numbers aren’t secure.

The most popular ways of enabling 2FA are SMS and time-based one-time passwords (TOTP) generated through apps like Authy or Microsoft Authenticator. I highly recommend using one of these apps (we use Authy). They all work the same way and are far more secure than SMS.

There are other 2FA methods too, like biometrics or hardware keys (our Google WorkSpace account is secured with a Titan Security Key), though these aren’t as commonly used throughout web services like SMS or TOTP.

If you have a WordPress website, the Wordfence Security plugin is a great way to enable TOTP 2FA on your site. Install it and then use Authy. If you need any help, don’t hesitate to reach out!

Default image
Scott Pruett
Articles: 11

One comment

  1. “SMS text messages were already the weakest link securing just about anything online, mainly because there are tens of thousands of employees at mobile stores who can be tricked or bribed into swapping control over a mobile phone number to someone else. Now we’re learning about an entire ecosystem of companies that anyone could use to silently intercept text messages intended for other mobile users.”

    More info from Krebs on Security: https://krebsonsecurity.com/2021/03/can-we-stop-pretending-sms-is-secure-now/

Leave a Reply