Two or more factors for authentication are standard for many accounts nowadays. 2FA via SMS is also still used a lot. We keep encountering many questions around this topic in our daily lives, especially when it comes to the security of 2FA per. In this post, we’ll take a look at the most frequently asked questions.
Table of Contents
Is 2FA via SMS secure or insecure?
Whether sending codes for 2FA via SMS is secure or insecure can really only be answered in relation to other methods, because no method is 100% secure.
However, it is definitely safer to use 2FA via SMS than no two-factor authentication at all. In the event of a targeted attack, it is theoretically possible for the codes to be intercepted. But then attackers still need the second factor, for example the additional password. For more information on targeted attacks, see the section: Can 2FA via SMS be hacked?
Other methods for two-factor authentication, such as using hardware tokens or authentication apps, are often considered more secure because they make use of different encryption. However, usability often suffers here, especially when companies use accounts with 2FA.
So it’s a matter of trade-offs: How much security do you need and how realistic is which authentication option for you?
Is 2FA via SMS better than nothing?
The short answer: Yes, it is better to use or offer two-factor authentication via SMS as a business than nothing.
If you use two factors for authentication, potential attackers still need to know BOTH factors to gain access to an account. This makes 2FA via SMS more secure than password-only.
Nevertheless, always continue to watch for irregularities, report unauthorized access immediately, and if in doubt, set a new password immediately. This applies not only when you use 2FA via SMS, but always.
Can 2FA via SMS be hacked?
The short answer is yes, but only with some significant effort. There are several ways to intercept 2FA via SMS. Here we would like to briefly discuss the most common security concerns.
SIM swapping is when attackers try to convince mobile carriers that they own the number they want to gain access to and redirect the number to another SIM. If this attempt succeeds, the attackers receive incoming SMS from the victim and can also gain access to 2FA codes.
To protect yourself from SIM swapping, many mobile carriers allow you to specify that you must provide a password or similar when you want to make a change such as swapping to another SIM.
It also helps to follow the general recommendation to be sparing and careful with your own data on the Internet. The less attackers can learn about you, the harder it will be for them to fool others. Also, be careful when you receive emails asking you to provide various data, especially if they supposedly come from your mobile carrier.
Hacking the mobile network
When people talk about attackers hacking the mobile network, they usually mean exploiting security holes in the SS7 protocol collection used in mobile communications.
Via certain detours, it is possible to gain access to the information exchanged via SS7, in this case to the content of certain SMS messages. If attackers know not only the content of these SMS, but also your access data, for example to a web application, they can gain full access to your account in this way.
Again, it helps to give your mobile phone number as sparingly as possible and to make sure you handle your data responsibly, especially online. Also, pay attention to what kind of links you open. More on this in the following section on malware.
Whoever has access to the contents of a phone usually has access to the SMS as well. Therefore, spyware or other malware installed on a smartphone can also lead to attackers being able to view 2FA codes. Malicious software can get on a smartphone unnoticed by the user, for example when they download content or open links.
Malware is also often spread via email, so it is worth exercising healthy skepticism and caution here as well. On mobile devices, this may also happens via SMS.
Of course, malware can also get onto a phone via other messages you receive, whether via email, SMS, via Facebook or elsewhere. In short: be careful and do not click on links if you do not trust the sender or if the message looks strange.
Security software can also protect against malware – it is available specifically for mobile devices.
Physical access to unsecured cell phone
Lastly, it is of course possible for attackers to gain access to your data if they steal your unsecured cell phone. Therefore, it is important to secure your phone with a PIN or biometric query so that only you can unlock the phone. These hurdles are not going to stop attackers in every case, but they at least buy you enough time to take other security measures.
Can I use 2FA via SMS without a smartphone?
Yes, many companies rent their own inbound numbers to receive 2FA SMS without a smartphone. In principle, of course, any cell phone can receive SMS, not just smartphones. Still, this option is often impractical for businesses because multiple people need to have access to the code that is sent via SMS for 2FA.
It is important to realize that the security of 2FA by SMS is weakened if multiple people can access the code. Nonetheless, we see time and time again that this variant works for many businesses. Again, after all, this type of two-factor authentication is better than just using a simple password.
How is 2FA via SMS used by companies?
Here we need to distinguish between two cases, namely.
1. companies that offer 2FA via SMS to their users
2. companies that themselves use services in which 2FA via SMS is used.
In the first case, companies offer their users the option of authenticating themselves using 2FA via SMS. This is particularly important for services that require a high level of security, such as online banking. So here, applications or accounts are protected with a 2FA.
Such companies have an interest in finding secure and easy-to-use SMS gateways that can also send high volumes of messages quickly.
In the second case, companies themselves use services that offer 2FA via SMS. Here, sometimes multiple team members need to be able to access the SMS that contains the code for authentication. Here, a possible solution can be to book a separate inbound number with an SMS gateway, on which the corresponding SMS can be received. Int his case, companies are dependent on simple solutions that still offer a certain level of security.
How do I find a good provider for 2FA via SMS?
You want to send 2FA codes via SMS and wonder what you should look for when choosing an SMS gateway? Basically, the same requirements apply as for bulk SMS providers, except that you should pay special attention to the use of reputable routes and the server location.
Of course, user-friendliness is also really important. Ideally, you can take a look at the user interface of your provider in a demo version or a free account before you commit to any payments.
All the best
Header picture filadendron via iStock