Why you shouldn't rely on texts when using two-factor authentication to sign into accounts

·5 min read

Several million T-Mobile customers may now be busying themselves with setting up free credit freezes to deal with a data breach that included Social Security numbers.

But they’re not the only people who should be considering doing some security cleanup work with their wireless accounts.

The T-Mobile hack may have made it easier for attackers to stage a SIM swap attack, in which they take over a phone line to intercept two-step verification (also called two-factor authentication), a process during which users respond to a text, email or push notification to verify ownership of a particularly valuable online account.

Now, “particularly valuable” can mean many things depending on your online visibility, social-media influence and perceived wealth. But for most people, that should translate to your primary email and social media accounts.

► T-Mobile breach: Carrier investigating claims of a data breach that reportedly affected 100 million of its wireless customers

I'm not famous. Why do I care?

Ever signed into an account using your name and password and then been asked to take a second step to prove you are who you say you are? That's two-factor authentication at work.
Ever signed into an account using your name and password and then been asked to take a second step to prove you are who you say you are? That's two-factor authentication at work.

Even if you don't have a huge digital presence, you've probably encountered two-factor authentication before. Ever signed into an account using your name and password and then been asked to take a second step to prove you are who you say you are? That's two-factor authentication at work.

It's often used to reset passwords and sign into all types of sensitive accounts, including work-related software, social media platforms and maybe even your 401(k) account.

Many users often choose to have a text sent to their phone to complete the process. That's pretty secure, right? After all, you are holding your phone in your hand right now, so no one else can get at it – right?

Lock down your phone from snoops and hackers: Security tips and tricks

Wrong. SIM swaps have been a risk across the industry for years as attackers have exploited customer-service reps to stage account takeovers.

An encrypted USB security key is a physical device, costing around $25, that you plug into your computer or tap against an enable device. It can't be fooled by scammers and can protect multiple accounts.
An encrypted USB security key is a physical device, costing around $25, that you plug into your computer or tap against an enable device. It can't be fooled by scammers and can protect multiple accounts.

More secure alternatives

Your options for upgrading from text-based two-step verification fall into a few common categories, ranked from easiest to most secure:

  • A yes/no prompt shown in an app on a mobile device also signed into the same account. You then approve it if you know for certain that the new login is legitimate.

  • A one-time code generated by special software such as Google’s Authenticator apps for Android and iOS that you type into the device or browser doing the new login. Many premium password-manager services will also generate these codes.

  • An encrypted USB security key that you associate with your account and then confirm by plugging into the new device (or, in the case of NFC wireless-enabled keys, by tapping it against an NFC-enabled mobile device). These cost extra, usually starting at $25, but they can’t be fooled by phishing pages at lookalike addresses – and one can protect multiple accounts.

Who supports what?

Unfortunately, not every service supports all the options I just listed.

Apple, for example, requires a phone number, although the company suggests “verifying an additional trusted phone number other than your own phone number.” Normally, Apple will verify a new login to its iCloud service by pushing a one-time numeric code to an Apple device you’ve already designated as trusted, which you then enter into the new device. Apple does not support USB security keys or one-time codes generated on non-Apple devices.

Facebook made its own case for unlisting your digits when it got caught using wireless numbers users had added for security purposes as an ad-targeting factor. Go ahead and delete your number from the social network; instead, you can verify Facebook logins with a simple yes/no dialog in its mobile apps, one-time codes generated by either its own apps or third-party apps like Google Authenticator, or a USB security key.

Google, among the earliest major supporters of two-step verifications, now suggests the device-prompt approach as its first line of defense and no longer requires a phone number for verification. You can also secure your login with one-time codes or a USB security key. Another reason to enable at least one of these confirmation options: It should vastly lower the odds of getting locked out of your Google accounts if you forget a password.

Microsoft also offers a full menu of phone-number-free verification methods. You can verify a login through a device prompt sent to its Microsoft Authenticator app (available for both iOS and Android), entering one-time codes generated by an authenticator app or password manager, or via plugging in a USB security key. In my experience, Microsoft has been pickier in accepting that last method than the other services listed here.

If you’re using a password manager to generate any of these one-time codes, you should have non-phone-number two-step verification set up there as well. That will also be one password worth writing down – and storing someplace safe at home that you can locate in an emergency.

Travelers, take note

Oh, and here's another downside to using your phone number for two-factor authentication: Relying on your wireless service for verification can also leave you cut off in situations where you have no service, such as on airplanes or when traveling overseas. If you choose the text option, you won't get the verification text until you have cell service again.

So the next time you get prompted to choose how to verify your identity, don't be so quick to choose the "send a text" option. It may take an extra minute or two but it could save you a lot more time and hassle by preventing identity theft.

Rob Pegoraro is a tech writer based out of Washington, D.C. To submit a tech question, email Rob at rob@robpegoraro.com. Follow him on Twitter at twitter.com/robpegoraro.

This article originally appeared on USA TODAY: Two-factor authentication: Why you shouldn't always choose text option

Our goal is to create a safe and engaging place for users to connect over interests and passions. In order to improve our community experience, we are temporarily suspending article commenting