Don't Use SMS for 2FA

Using SMS text messages for two factor authentication is no longer considered a best practice.


Forbes Magazine published an article entitled, Why You Should Stop Using SMS Security Codes—Even On Apple iMessage, and CNET posted an article Do you use SMS for two-factor authentication? Here's why you shouldn't .


Wired Magazine notes that a security expert believes, "two-factor authentication using SMS text messages isn't technically two-factor at all."


In January 2020, the Department of Computer Science and Center for Information Technology Policy at Princeton University published the results of a research project, An Empirical Study of Wireless Carrier Authentication for SIM Swaps, which concluded that, "users of websites relying on SMS-based MFA continue to be at risk—in some cases severely."


Cell phones can be vulnerable to phishing attacks that lead service providers to direct texts to different SIM cards. The New York State Department of Consumer Protection has posted a warning about scams which aim to switch SIM cards to new devices. The Princeton Study, "identified weak authentication schemes and flawed policies at 5 US mobile carriers from the prepaid market. We showed that these flaws enable straightforward SIM swap attacks."


International mobile subscriber identity-catcher (IMSI) are mobile towers set up for malicious reasons to intercept text messages.


Malware can also be installed on smartphones which will intercept codes used for 2FA.


Using a token or an authentication app that generates temporary codes are better alternatives. Google Authenticator will generate temporary 8 digit passwords.