Why it's time to stop using services that force you to use SMS-based two-factor authentication

Instagram two-factor authentication settings
Instagram two-factor authentication settings (Image credit: Joe Maring / Android Central)

You should be using two-factor authentication on every single online account you have. It doesn't matter how rich or how famous you are (though the rich and famous should probably do even more to secure their identities) because everyone has something of value hidden in their online accounts. Companies like Google and Facebook offer everything for free because our online data is so valuable.

Using two-factor authentication (2FA) isn't designed to be easy because proving that you're really who you claim to be should have a barrier attached. Unfortunately, many people think this barrier is too high or too inconvenient and skip 2FA altogether. I'm not going to stand on a soapbox and explain how wrong that is because that's been done to death. You know why you should use it and have made a decision.

But for those who do choose to secure online accounts with 2FA, there's another issue: many companies only offer using SMS to authenticate you. That means when you try to sign in the first time from a new phone or computer, you receive a text message on the number the company has on file for you. It sounds simple, but it's as bad or worse than not using 2FA at all because of the false sense of security it gives.

Two-factor authentication

Source: Android Central (Image credit: Source: Android Central)

It's not really easy to "steal" your phone number by fooling a carrier into giving you a new SIM card because it involves convincing someone to do a thing they aren't supposed to do. But we all know that happens. It's also not easy to intercept an SMS, even though the methods to do so have been around for a long time. But it's simple — and cheap — to pay a company to reroute SMS messages from one number to another.

Businesses do need to forward SMS messages, but there has to be some oversight.

There is a legitimate need for rerouting SMS messages, such as having a help desk offer support through texting using a business landline or virtual number. The problem is that there is no regulation that makes sure the companies that offer such services actually prove you own the number that's being redirected. You simply fill out an online form, send a few dollars, and lie on an application.

This is a huge issue that needs to be addressed, and soon. Many of us will carry the same phone number with us throughout our lives; your phone number really is part of your identity. I don't know how to fix this issue without introducing new laws made by people who have no idea how the technology works or letting this particular industry police itself. Both options here are bad, so I'll let the experts figure it out.

It's not hard to see the enormous threat to safety and security this kind of attack poses. The FCC must use its authority to force phone companies to secure their networks from hackers. Former Chairman Pai's approach of industry self-regulation clearly failed. — Senator Ron Wyden

What I can do though, is say that we all need to stop using services that only offer SMS as a method for 2FA. Period, full stop.

Acorns 2FA over SMS

Source: Jerry Hildenbrand / Android Central (Image credit: Source: Jerry Hildenbrand / Android Central)

The experts that oversee security at your bank or a retailer or any other service that offers a way to do business online know how bad using SMS for 2FA is. That doesn't seem to make a difference in many cases as you'll find plenty of otherwise reputable businesses that offer it as the only option. I assume it's partially because using SMS for 2FA is easy, and it would cost money to switch the system to use a method that's actually secure.

An authenticator app is just as easy to use as getting SMS codes.

It's equally difficult for many to make that switch, even if they find the right service that offers basic security standards. Using SMS is easy and works from any device that can receive text messages. We all know how it works; get the code in a text, enter the code in the little box, and press submit. It works on a cheap Android phone or even a dumb phone.

What many don't realize is that using something like a software-based 2FA authentication app like Google Authenticator (opens in new tab), Authy, or Microsoft Authenticator (opens in new tab) is just as easy. You don't wait for a code, you open the app and choose the service and one is provided instantly.

FIDO key

Source: Android Central (Image credit: Source: Android Central)

Other methods like using a USB or wireless security key are also fairly easy once you find the right hardware that works with your devices, but for most people, using a software authenticator app is the right choice. It's not 100% "hackproof" either, but it's not something that's trivial to exploit.

It's worth switching services to find one that cares about your account security.

Switching how you get your 2FA codes is the easy part, though. What if your bank only uses SMS (or even worse, a voice call) for 2FA? Should you switch banks? Yes. And tell them why you're switching because someone in the IT department knows you're making the right decision to make the switch.

The good news is that most popular services and service providers now offer the option to use an authenticator app. Amazon, Twitter, Google, Apple, Microsoft, and even Facebook will let you use an authenticator app when you set up 2FA or allow you to make changes to the way you get your codes. But there is a real chance that a service you need to use isn't on board just yet and only offers SMS as an option. It's time to ditch those services and find one from a company that cares at least a little bit about your account security.

Jerry Hildenbrand
Senior Editor — Google Ecosystem

Jerry is an amateur woodworker and struggling shade tree mechanic. There's nothing he can't take apart, but many things he can't reassemble. You'll find him writing and speaking his loud opinion on Android Central and occasionally on Twitter.

  • Yeah, I'll just close my bank accounts now...
  • hahhah I was just thinking the same thing
  • My stupid bank uses SMS as 2FA and it's irritating. I'm not going to switch banks though because my bank isn't a scumbag like big banks. I prefer to use an authenticator app along with my Google Titan Security Key (which I mainly use for my Google account).
  • I couldn't agree with you more! and here's something else that plays into that. On the chance that your Windows 10 laptop of table should be stolen, or compromised, when you receive a text on your phone, you also receive that text in the Action Center on your computer! Not very safe if you ask me. That's one reason I've been switching to Microsoft Authenticator on just about everything I can. Enjoyed the article.
  • If someone stole your laptop that most likely has access to all your login, the last thing you should worry about is the action center.
  • "Using SMS for two-factor authentication offers nothing except a false sense of security." This statement is just not true. My banks don't use it but WhatsApp, Tinder, Bumble only use SMS to send a code. Even Google Messages uses SMS to receive a code to setup up Chat (RCS). A tonne of services use SMS for 2FA.
  • OK fine, ditch the SMS for 2FA. Now what about email?
  • Jerry Hildenbrand expert on this subject? Don't think so.
  • Places don't us SMS just because it is easy. They use it because it is ubiquitous. They can be pretty well assured that everyone has access to text. You do make a point that it is relatively easy to hijack, but for most people that would require an intent to hijack a particular person. This is different than sending out phishing e-mails hoping people will willingly provide you with their username and password. Other systems require a specific client to use it, Microsoft Authenticator, Google Authenticator, Yubi Key. Some cost money, some require special hardware. People don't want to manage a multitude of these, and companies aren't going to settle on one.
    What annoys me most about 2FA in the first place, is the cavalier nature in which companies implement it 'for my safety'. Ring and Arlo have both implemented SMS only. I work in an environment I can't have my cell phone, so they have effectively locked me out of viewing my cameras from work. Guess when I need to see them. Other systems provide options like calling a landline or sending an e-mail to a vetted address, but Ring have opted to do the least, to say they have 2FA and require it.
  • Well, nearly as I can determine, only one of my financial institutions supports hardware 2FA at all, and it still allows, indeed mandates, the use of SMS as a fallback. Second, when it requires me to do something after I have already signed in, that is just an additional step that I need to do every time I sign on. At least the way it is set up with SMS now, their system remembers my devices and I only need the second step after an update or new computer. Until it becomes more than marginally useful I will save the money.
  • question: i've never used google or MS auth, (use sms) what happens when your auth is on a phone that dies. how do you prove your identity to the Auth app on a new phone, and how do you set up a new phone when you can't log into your google acct because it requires the auth app which you can't get to without your google acct to DL from playstore
  • That is my issue too. What happens if the phone dies, the app doesn't work? I want to use 2FA but the chances of me not having the second device could be high. If I have to wait for a new SIM card,or new phone? I can't access my email/contacts. Ironically that's when I would need it the most to order, track shipping and more.
  • I feel safer with an authenticator app so I use 2FA for several services (Amazon is one of them). I have the same question. If I lose my phone and then try to install the Amazon app on my new phone, how do I authenticate. Is there someplace I sign in that bypasses the authenticator? Also, while waiting for the new phone, am I unable to sign into Amazon on a new computer?
  • Authy allows you to back up your 2FA tokens to the cloud so that you can retrieve them on a new device. The tokens are encrypted on your phone before upload (and decrypted on a new device after download) so Authy doesn't see the clear tokens at all.
  • cool. thanks for info!
  • So with Authy, when you change your phone, re install the Authy app and log back in, are the websites you had on the 2FA before you changed your phone still there ready to use again? I've used Google Auth and its a pain because as far as I'm aware, they don't have that option. You have to start from scratch again each time you change your phone
  • Most places thjat do authenticator-app two-factor authentication allow you to generate a set of printable codes which you can put in a safe place as an emergency backup. Also, the QR codes that most two-factor authentication methods use are images. Often, you can download the image file and save it , online or offline, for later reauthentication. That's what I used to do in the early days of Google Authenticator. When I got a new phone, I'd open my saved QR codes and add the two-factor settings into the Authenticator App again.
  • My banks offer SMS and email. I always choose email.
  • It's impractical to switch services just because of their 2FA employed method. Unless there is a serious flaw that is known to all, companies will not switch to another method. So telling people to drop what they are currently using and take their business elsewhere is silly.
  • Yubikey...installed without problems on a recent W10 computer. Then tried to use it as the authentication for a Microsoft service....Microsoft does not recognise this authentication method.
    Using an app also implies that you are using a phone on the latest version of iOS/Android and it is fully patched. I guess here in the UK SMS redirection is less likely because SMS is normally free with your contract and if you stop receiving SMS messages you will notice. But it's more than that. Our bank requires you to request the SMS token from its website. If the SMS is redirected and you don't receive it, that sticks out. But if it was somehow duplicated to another number, the person with that number has to have your other identification - which is why it is called 2FA. The general idea is that you never give that information out except to the bank login.
    I use banking apps, true, but see the comment about latest Android, fully patched, above - and the second factor is fingerprint, or a user name and password locked in the data safe.
  • This sounds simple in theory but in practice it doesn't really work for multiple reasons - some of which have already been detailed in the comments.
  • I'll stop when Apple goes on a crusade stating that this technology is bad for everyone. Apple knows best, you better bow down and submit. Do it for Jobs.
  • Your comment makes no sense and does nothing for the conversation but show your ignorance. I still can not believe how Apple gets dragged into every Google/Android article ever written. You guys should check your jealousy at the door.