Why you are at risk if you use SMS for two-step verification – CNET

google-prompt-2fa

Google Prompt in action.

Screenshot by Matt Elliott/CNET

Google this month began moving people away from receiving two-step verification codes via SMS. Starting last week when signing into your account, you may have received an invite from Google to start receiving prompts via the Google app instead of six-digit codes via your texting app.

Google is making this move because its new prompts are more secure than SMS. They also make the process of signing into your account quicker and easier. Time for a quick Q&A:

Wait, what is two-step verification?

Two-step verification (2SV if you are into the whole brevity thing, although it’s also called two-factor authentication or 2FA) adds a layer of security to your online accounts, from Amazon, Apple and Google to Facebook, Instagram, and Twitter. Instead of entering only your password to access an account, you need to enter your password — the first verification factor — and then a code sent via SMS or a prompt via an authentication app — the second factor. This means a hacker would need to steal both your password and your phone to break into your account.

So, why the move away from SMS?

For the simple fact that receiving 2SV codes via SMS is less secure than using an authentication app. Hackers have been able to trick carriers into porting a phone number to a new device in a move called a SIM swap. It could be as easy as knowing your phone number and the last four digits of your social security number, data that tends to get leaked from time to time from banks and large corporations. Once a hacker has redirected your phone number, they no longer need your phone in order to gain access to your 2SV codes.

Also, if you sync text messages with your laptop or tablet, then a hacker could gain access to SMS codes by walking off with such a device of yours.

Then there are the weaknesses in the mobile telecom system itself. In what’s called an SS7 attack, a hacker can spy via the cell phone system, listening to calls, intercepting text messages, and seeing the location of your phone.

All of the above scenarios are bad news for those receiving 2SV codes via SMS.

What should I use instead?

An authentication app such as Google Authenticator, Microsoft Authenticator or Authy. It has the advantage of not needing to rely on your carrier; codes stay with the app even if a hacker manages to move your number to a new phone. And codes expire quickly, usually after 30 seconds or so. 

In addition to being more secure than SMS, an authentication app is faster; you need only to tap a button to verify your identity instead of the hassle of manually entering a six-digit code.

What is Google Prompt?

Google Prompt lets you receive codes without using SMS or a separate authentication app. It’s baked into Google Now on Android and the Google Search app for iOS. Learn how to set up Google Prompt.

google-prompt
Matt Elliott/CNET

Do I even need two-step verification if SMS is so vulnerable?

Yes! In addition to creating strong passwords and using different passwords for each of your accounts, setting up two-step verification is the best move you can make to secure your online accounts — even if you insist on receiving codes via SMS. Two-step verification via SMS is better than one-step verification where a hacker needs only to obtain or guess your password in order to gain access to your data. Don’t be the low-hanging fruit with an account that is the easiest target for hackers.

But two-step verification is a hassle

That’s not a question, but my counter would be that it’s less of a hassle when done right and you are receiving codes via Google Prompt or an authentication app where you don’t need to enter six-digit codes. Sure, even then it does force you to take an extra step of grabbing and tapping your phone after entering your password to log into one of your accounts. I would argue, however, that the hassle of the second step of two-step verification pales in comparison to the hassle of getting hacked. At best, getting hacked is a hassle. More often, it’s a mix of anger, pain and confusion.

Leave a Reply

Your email address will not be published. Required fields are marked *