Two-factor authentications are now a standard when it comes to web services. It’s used to secure your accounts by adding another layer of security making it harder for hackers to penetrate. But keep in mind that these two-factor authentications — especially the codes are delivered via SMS — are not perfect and isn’t a sure way to secure your accounts.
For the past few months, two-factor authentications via SMS became the weakest link when it comes to hackers. Attacks on political activist in various countries like Iran, Russia, and America have shown that hackers can hijack the SMS messages easily. That said, we strongly advice you to switch to a more secure authentication system like smartphone app or physical token that generates one-time codes.
According to security researcher and forensics expert Jonathan Zdziarski:
“SMS is just not the best way to do this. It’s depending on your mobile as a means of authentication (in a way) that can be socially engineered out of your control.”
Of course, adding a layer of SMS-based verification to your usual login process is certainly better than relying on a single password alone. But the security research stated that the two-factor authentication using SMS text messages isn’t technically two-factor at all. The whole idea of two-factor authentication is to test someone’s identity based on something they know like a password and something they have like their smartphone.
“SMS has turned that ‘something you have’ into ‘something they sent you,’” says Zdziarski. “If that transaction is happening, it can be intercepted. And that means you’re potentially at some level of risk.”
But don’t get us wrong. Those attacks aren’t exactly easy to pull off, and likely require the attacker to know the victim’s phone number together with the password of the account. But for those people who owns a lot of valuable information in the internet, we strongly advice finding another secure solution.
Fortunately, a lot of services offer better options. There’s Google, for example. The company recently launched Google Prompt, a service that sends a second-factor login prompt straight from its servers to Android phones or to the Google Search app for iOS.