Why you should enable two-factor authentication everywhere, just not on SMS
Two-factor authentication, also known as 2FA, is a good thing. It helps to protect your online accounts, by requiring both a passcode and a temporary code that’s sent to your mobile phone, in order to log in.
That way, even if someone steals your password, they still can’t log into your account if they don’t possess your mobile and the code.
Passwords can be easily stolen. They can be sniffed through the air if you use public Wi-Fi and an unencrypted connection to the website. They can be brute-forced from stolen databases, like Yahoo’s one billion user breach. And if you use the same password across multiple sites, all you need is a single breach and an attacker can get access to more accounts.
That’s why I recommend you activate 2FA on all the sites you use that offer it, which include popular accounts like Apple, Google, Facebook, Instagram and Twitter.
Where possible, however, I also recommend you not use 2FA through SMS. That’s because messages can be hijacked and redirected to an attacker’s mobile phone instead of yours. For years, this was theoretically possible, but recently a group of thieves has actually exploited this weakness to empty victims’ bank accounts in Germany.
Similar to bank accounts in Singapore, German banks require that online banking customers need to get a code sent to their phone before transactions are approved. In this case, the attackers infected their victims’ computers with malware and collected their bank account details, including login passwords, and their mobile number.
They then purchased access to a rogue telecommunications provider, which let them redirect the victim’s mobile phone messages to their own mobile phones. This gave them access to the 2FA codes.
Many sites nowadays also offer 2FA authentication through apps like Authy. By scanning a QR code, the site and Authy create a time-based ‘secret key,’ and the app can then generate temporary 2FA codes for you to log into your account, even when you don’t have a data connection on your smartphone.
Google, Facebook, and Twitter are among the popular sites that offer this option. So instead of having codes sent to your mobile phone through SMS, they’re generated on your device. Even if attackers redirect your messages, they still won’t get the login codes.
If you use 1Password, things get even easier. 1Password can be used as an authenticator for 2FA, so I get codes inside my password manager instead of a separate app, making logins easier.
Is using 2FA more troublesome than not using it? Yes, of course, it is. But convenience is always in a tug of war with security, and when it comes to valuable accounts like your email, I’d recommend you err on the side of security more often than not.