{"id":89891,"date":"2023-05-30T09:24:08","date_gmt":"2023-05-30T07:24:08","guid":{"rendered":"https:\/\/www.seven.io\/?p=89891"},"modified":"2023-05-30T13:26:52","modified_gmt":"2023-05-30T11:26:52","slug":"2fa-via-sms","status":"publish","type":"post","link":"https:\/\/www.seven.io\/en\/blog\/2fa-via-sms\/","title":{"rendered":"The most frequently asked questions about 2FA via SMS: security, attack risks and ease of use."},"content":{"rendered":"<section class=\"l-section wpb_row height_small\"><div class=\"l-section-h i-cf\"><div class=\"g-cols vc_row via_flex valign_top type_default stacking_default\"><div class=\"vc_col-sm-12 wpb_column vc_column_container\"><div class=\"vc_column-inner\"><div class=\"wpb_wrapper\"><div class=\"wpb_text_column\"><div class=\"wpb_wrapper\"><p><strong>Two or more factors for authentication are standard for many accounts nowadays. 2FA via SMS is also still used a lot. We keep encountering many questions around this topic in our daily lives, especially when it comes to the security of 2FA per. In this post, we&#8217;ll take a look at the most frequently asked questions.<\/strong><\/p>\n<\/div><\/div><\/div><\/div><\/div><\/div><\/div><\/section><section class=\"l-section wpb_row height_small\"><div class=\"l-section-h i-cf\"><div class=\"g-cols vc_row via_flex valign_top type_default stacking_default\"><div class=\"vc_col-sm-12 wpb_column vc_column_container\"><div class=\"vc_column-inner\"><div class=\"wpb_wrapper\"><div class=\"wpb_text_column\"><div class=\"wpb_wrapper\"><div id=\"ez-toc-container\" class=\"ez-toc-v2_0_82_1 counter-hierarchy ez-toc-counter ez-toc-custom ez-toc-container-direction\">\n<div class=\"ez-toc-title-container\">\n<p class=\"ez-toc-title\" style=\"cursor:inherit\">Table of Contents<\/p>\n<span class=\"ez-toc-title-toggle\"><\/span><\/div>\n<nav><ul class='ez-toc-list ez-toc-list-level-1 ' ><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-1\" href=\"https:\/\/www.seven.io\/en\/blog\/2fa-via-sms\/#is_2fa_via_sms_secure_or_insecure\">Is 2FA via SMS secure or insecure?<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-2\" href=\"https:\/\/www.seven.io\/en\/blog\/2fa-via-sms\/#is_2fa_via_sms_better_than_nothing\">Is 2FA via SMS better than nothing?<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-3\" href=\"https:\/\/www.seven.io\/en\/blog\/2fa-via-sms\/#can_2fa_via_sms_be_hacked\">Can 2FA via SMS be hacked?<\/a><ul class='ez-toc-list-level-4' ><li class='ez-toc-heading-level-4'><a class=\"ez-toc-link ez-toc-heading-4\" href=\"https:\/\/www.seven.io\/en\/blog\/2fa-via-sms\/#sim_swapping\">SIM swapping<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-4'><a class=\"ez-toc-link ez-toc-heading-5\" href=\"https:\/\/www.seven.io\/en\/blog\/2fa-via-sms\/#hacking_the_mobile_network\">Hacking the mobile network<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-4'><a class=\"ez-toc-link ez-toc-heading-6\" href=\"https:\/\/www.seven.io\/en\/blog\/2fa-via-sms\/#malware\">Malware<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-4'><a class=\"ez-toc-link ez-toc-heading-7\" href=\"https:\/\/www.seven.io\/en\/blog\/2fa-via-sms\/#physical_access_to_unsecured_cell_phone\">Physical access to unsecured cell phone<\/a><\/li><\/ul><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-8\" href=\"https:\/\/www.seven.io\/en\/blog\/2fa-via-sms\/#can_i_use_2fa_via_sms_without_a_smartphone\">Can I use 2FA via SMS without a smartphone?<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-9\" href=\"https:\/\/www.seven.io\/en\/blog\/2fa-via-sms\/#how_is_2fa_via_sms_used_by_companies\">How is 2FA via SMS used by companies?<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-10\" href=\"https:\/\/www.seven.io\/en\/blog\/2fa-via-sms\/#how_do_i_find_a_good_provider_for_2fa_via_sms\">How do I find a good provider for 2FA via SMS?<\/a><\/li><\/ul><\/nav><\/div>\n\n<\/div><\/div><\/div><\/div><\/div><\/div><\/div><\/section><section class=\"l-section wpb_row height_small\"><div class=\"l-section-h i-cf\"><div class=\"g-cols vc_row via_flex valign_top type_default stacking_default\"><div class=\"vc_col-sm-12 wpb_column vc_column_container\"><div class=\"vc_column-inner\"><div class=\"wpb_wrapper\"><div class=\"wpb_text_column\"><div class=\"wpb_wrapper\"><h3><span class=\"ez-toc-section\" id=\"is_2fa_via_sms_secure_or_insecure\"><\/span>Is 2FA via SMS secure or insecure?<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>Whether sending codes for 2FA via SMS is secure or insecure can really only be answered in relation to other methods, because no method is 100% secure.<\/p>\n<p>However, it is definitely safer to use 2FA via SMS than no two-factor authentication at all. In the event of a targeted attack, it is theoretically possible for the codes to be intercepted. But then attackers still need the second factor, for example the additional password. For more information on targeted attacks, see the section: Can 2FA via SMS be hacked?<\/p>\n<p>Other methods for two-factor authentication, such as using hardware tokens or authentication apps, are often considered more secure because they make use of different encryption. However, usability often suffers here, especially when companies use accounts with 2FA.<\/p>\n<p>So it&#8217;s a matter of trade-offs: How much security do you need and how realistic is which authentication option for you?<\/p>\n<\/div><\/div><\/div><\/div><\/div><\/div><\/div><\/section><section class=\"l-section wpb_row height_small\"><div class=\"l-section-h i-cf\"><div class=\"g-cols vc_row via_flex valign_middle type_default stacking_default\"><div class=\"vc_col-sm-8 wpb_column vc_column_container\"><div class=\"vc_column-inner\"><div class=\"wpb_wrapper\"><div class=\"wpb_text_column\"><div class=\"wpb_wrapper\"><h3><span class=\"ez-toc-section\" id=\"is_2fa_via_sms_better_than_nothing\"><\/span>Is 2FA via SMS better than nothing?<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>The short answer: Yes, it is better to use or offer two-factor authentication via SMS as a business than nothing.<\/p>\n<p>If you use two factors for authentication, potential attackers still need to know BOTH factors to gain access to an account. This makes 2FA via SMS more secure than password-only.<\/p>\n<p>Nevertheless, always continue to watch for irregularities, report unauthorized access immediately, and if in doubt, set a new password immediately. This applies not only when you use 2FA via SMS, but always.<\/p>\n<\/div><\/div><\/div><\/div><\/div><div class=\"vc_col-sm-4 wpb_column vc_column_container\"><div class=\"vc_column-inner\"><div class=\"wpb_wrapper\"><div class=\"w-image align_none\"><div class=\"w-image-h\"><img decoding=\"async\" width=\"400\" height=\"400\" src=\"https:\/\/www.seven.io\/wp-content\/uploads\/blog_2FAfaq_beispiel_en.png\" class=\"attachment-full size-full\" alt=\"2FA via SMS is still used a lot\" loading=\"lazy\" srcset=\"https:\/\/www.seven.io\/wp-content\/uploads\/blog_2FAfaq_beispiel_en.png 400w, https:\/\/www.seven.io\/wp-content\/uploads\/blog_2FAfaq_beispiel_en-300x300.png 300w, https:\/\/www.seven.io\/wp-content\/uploads\/blog_2FAfaq_beispiel_en-150x150.png 150w, https:\/\/www.seven.io\/wp-content\/uploads\/blog_2FAfaq_beispiel_en-350x350.png 350w, https:\/\/www.seven.io\/wp-content\/uploads\/blog_2FAfaq_beispiel_en-250x250.png 250w, https:\/\/www.seven.io\/wp-content\/uploads\/blog_2FAfaq_beispiel_en-200x200.png 200w\" sizes=\"auto, (max-width: 400px) 100vw, 400px\" \/><\/div><\/div><\/div><\/div><\/div><\/div><\/div><\/section><section class=\"l-section wpb_row height_small\"><div class=\"l-section-h i-cf\"><div class=\"g-cols vc_row via_flex valign_top type_default stacking_default\"><div class=\"vc_col-sm-12 wpb_column vc_column_container\"><div class=\"vc_column-inner\"><div class=\"wpb_wrapper\"><div class=\"wpb_text_column\"><div class=\"wpb_wrapper\"><h3><span class=\"ez-toc-section\" id=\"can_2fa_via_sms_be_hacked\"><\/span>Can 2FA via SMS be hacked?<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>The short answer is yes, but only with some significant effort. There are several ways to intercept 2FA via SMS. Here we would like to briefly discuss the most common security concerns.<\/p>\n<h4><span class=\"ez-toc-section\" id=\"sim_swapping\"><\/span>SIM swapping<span class=\"ez-toc-section-end\"><\/span><\/h4>\n<p><a href=\"https:\/\/blog.mozilla.org\/en\/privacy-security\/mozilla-explains-sim-swapping\/\" target=\"_blank\" rel=\"noopener\">SIM swapping<\/a> is when attackers try to convince mobile carriers that they own the number they want to gain access to and redirect the number to another SIM. If this attempt succeeds, the attackers receive incoming SMS from the victim and can also gain access to 2FA codes.<\/p>\n<p>To protect yourself from SIM swapping, many mobile carriers allow you to specify that you must provide a password or similar when you want to make a change such as swapping to another SIM.<\/p>\n<p>It also helps to follow the general recommendation to be sparing and careful with your own data on the Internet. The less attackers can learn about you, the harder it will be for them to fool others. Also, be careful when you receive emails asking you to provide various data, especially if they supposedly come from your mobile carrier.<\/p>\n<h4><span class=\"ez-toc-section\" id=\"hacking_the_mobile_network\"><\/span>Hacking the mobile network<span class=\"ez-toc-section-end\"><\/span><\/h4>\n<p>When people talk about attackers hacking the mobile network, they usually mean exploiting security holes in the SS7 protocol collection used in mobile communications.<\/p>\n<p>Via certain detours, it is possible to gain access to the information exchanged via SS7, in this case to the content of certain SMS messages. If attackers know not only the content of these SMS, but also your access data, for example to a web application, they can gain full access to your account in this way.<\/p>\n<p>Again, it helps to give your mobile phone number as sparingly as possible and to make sure you handle your data responsibly, especially online. Also, pay attention to what kind of links you open. More on this in the following section on malware.<\/p>\n<h4><span class=\"ez-toc-section\" id=\"malware\"><\/span>Malware<span class=\"ez-toc-section-end\"><\/span><\/h4>\n<p>Whoever has access to the contents of a phone usually has access to the SMS as well. Therefore, spyware or other malware installed on a smartphone can also lead to attackers being able to view 2FA codes. Malicious software can get on a smartphone unnoticed by the user, for example when they download content or open links.<\/p>\n<p>Malware is also often spread via email, so it is worth exercising healthy skepticism and caution here as well. On mobile devices, this may also happens via SMS.<\/p>\n<p>Of course, malware can also get onto a phone via other messages you receive, whether via email, SMS, via Facebook or elsewhere. In short: be careful and do not click on links if you do not trust the sender or if the message looks strange.<\/p>\n<p>Security software can also protect against malware \u2013 it is available specifically for mobile devices.<\/p>\n<h4><span class=\"ez-toc-section\" id=\"physical_access_to_unsecured_cell_phone\"><\/span>Physical access to unsecured cell phone<span class=\"ez-toc-section-end\"><\/span><\/h4>\n<p>Lastly, it is of course possible for attackers to gain access to your data if they steal your unsecured cell phone. Therefore, it is important to secure your phone with a PIN or biometric query so that only you can unlock the phone. These hurdles are not going to stop attackers in every case, but they at least buy you enough time to take other security measures.<\/p>\n<\/div><\/div><\/div><\/div><\/div><\/div><\/div><\/section><section class=\"l-section wpb_row height_small\"><div class=\"l-section-h i-cf\"><div class=\"g-cols vc_row via_flex valign_middle type_default stacking_default\"><div class=\"vc_col-sm-8 wpb_column vc_column_container\"><div class=\"vc_column-inner\"><div class=\"wpb_wrapper\"><div class=\"wpb_text_column\"><div class=\"wpb_wrapper\"><h3><span class=\"ez-toc-section\" id=\"can_i_use_2fa_via_sms_without_a_smartphone\"><\/span>Can I use 2FA via SMS without a smartphone?<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>Yes, many companies <a href=\"\/en\/products\/inbound-sms\/\">rent their own inbound numbers<\/a> to receive 2FA SMS without a smartphone. In principle, of course, any cell phone can receive SMS, not just smartphones. Still, this option is often impractical for businesses because multiple people need to have access to the code that is sent via SMS for 2FA.<\/p>\n<p>It is important to realize that the security of 2FA by SMS is weakened if multiple people can access the code. Nonetheless, we see time and time again that this variant works for many businesses. Again, after all, this type of two-factor authentication is better than just using a simple password.<\/p>\n<\/div><\/div><\/div><\/div><\/div><div class=\"vc_col-sm-4 wpb_column vc_column_container\"><div class=\"vc_column-inner\"><div class=\"wpb_wrapper\"><div class=\"w-actionbox color_secondary controls_bottom\"><div class=\"w-actionbox-text\"><div class=\"w-actionbox-description\"><p>Should your business be able to receive SMS? Our blog post on the topic will help you decide.<\/p>\n<\/div><\/div><div class=\"w-actionbox-controls\"><a class=\"w-btn us-btn-style_8\" href=\"https:\/\/www.seven.io\/en\/blog\/should-your-company-be-able-to-receive-sms\/\"><span class=\"w-btn-label\">Read article<\/span><\/a><\/div><\/div><\/div><\/div><\/div><\/div><\/div><\/section><section class=\"l-section wpb_row height_small\"><div class=\"l-section-h i-cf\"><div class=\"g-cols vc_row via_flex valign_top type_default stacking_default\"><div class=\"vc_col-sm-12 wpb_column vc_column_container\"><div class=\"vc_column-inner\"><div class=\"wpb_wrapper\"><div class=\"wpb_text_column\"><div class=\"wpb_wrapper\"><h3><span class=\"ez-toc-section\" id=\"how_is_2fa_via_sms_used_by_companies\"><\/span>How is 2FA via SMS used by companies?<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>Here we need to distinguish between two cases, namely.<br \/>\n1. companies that offer 2FA via SMS to their users<br \/>\nand<br \/>\n2. companies that themselves use services in which 2FA via SMS is used.<\/p>\n<p>In the first case, companies offer their users the option of authenticating themselves using 2FA via SMS. This is particularly important for services that require a high level of security, such as online banking. So here, applications or accounts are protected with a 2FA.<br \/>\nSuch companies have an interest in finding secure and easy-to-use SMS gateways that can also send high volumes of messages quickly.<\/p>\n<p>In the second case, companies themselves use services that offer 2FA via SMS. Here, sometimes multiple team members need to be able to access the SMS that contains the code for authentication. Here, a possible solution can be to book a separate inbound number with an SMS gateway, on which the corresponding SMS can be received. Int his case, companies are dependent on simple solutions that still offer a certain level of security.<\/p>\n<\/div><\/div><div class=\"ult-content-box-container \" >\t\t<div class=\"ult-content-box\" style=\"box-shadow: px px px px none;border-style:solid;border-width:5px;border-color:#55acff;padding:20px;-webkit-transition: all 700ms ease;-moz-transition: all 700ms ease;-ms-transition: all 700ms ease;-o-transition: all 700ms ease;transition: all 700ms ease;\"  data-hover_box_shadow=\"none\"     data-border_color=\"#55acff\" ><div class=\"wpb_text_column\"><div class=\"wpb_wrapper\"><p style=\"text-align: center;\">Please note:<\/p>\n<p style=\"text-align: center;\">Many services send 2FA SMS with <a href=\"\/en\/blog\/what-is-an-sms-sender-id\/\">an alphanumeric sender ID<\/a>. So when selecting your own inbound number, make sure that it can receive SMS from alphanumeric senders.<\/p>\n<\/div><\/div>\t\t<\/div><\/div><\/div><\/div><\/div><\/div><\/div><\/section><section class=\"l-section wpb_row height_small\"><div class=\"l-section-h i-cf\"><div class=\"g-cols vc_row via_flex valign_top type_default stacking_default\"><div class=\"vc_col-sm-12 wpb_column vc_column_container\"><div class=\"vc_column-inner\"><div class=\"wpb_wrapper\"><div class=\"wpb_text_column\"><div class=\"wpb_wrapper\"><h3><span class=\"ez-toc-section\" id=\"how_do_i_find_a_good_provider_for_2fa_via_sms\"><\/span>How do I find a good provider for 2FA via SMS?<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>You want to send 2FA codes via SMS and wonder what you should look for when choosing an SMS gateway? Basically, the same requirements apply <a href=\"\/en\/blog\/choose-a-bulk-sms-provider\/\">as for bulk SMS providers<\/a>, except that you should pay special attention to the use of reputable routes and the server location.<\/p>\n<p>Of course, user-friendliness is also really important. Ideally, you can take a look at the user interface of your provider in a demo version or a free account before you commit to any payments.<\/p>\n<\/div><\/div><\/div><\/div><\/div><\/div><\/div><\/section><section class=\"l-section wpb_row height_small\"><div class=\"l-section-h i-cf\"><div class=\"g-cols vc_row via_flex valign_top type_default stacking_default\"><div class=\"vc_col-sm-12 wpb_column vc_column_container\"><div class=\"vc_column-inner\"><div class=\"wpb_wrapper\"><div class=\"wpb_text_column\"><div class=\"wpb_wrapper\"><p style=\"text-align: center;\"><em>Do you have any questions? We are looking forward to <a href=\"\/en\/company\/contact\/\">your message<\/a>.<\/em><\/p>\n<\/div><\/div><\/div><\/div><\/div><\/div><\/div><\/section><section class=\"l-section wpb_row height_small\"><div class=\"l-section-h i-cf\"><div class=\"g-cols vc_row via_flex valign_top type_default stacking_default\"><div class=\"vc_col-sm-12 wpb_column vc_column_container\"><div class=\"vc_column-inner\"><div class=\"wpb_wrapper\"><div class=\"w-separator size_medium with_line width_default thick_1 style_solid color_text align_center with_text with_content\"><div class=\"w-separator-h\"><p class=\"w-separator-text\"><span>All the best<\/span><\/p><\/div><\/div><div class=\"w-image align_center\"><div class=\"w-image-h\"><img decoding=\"async\" width=\"289\" height=\"38\" src=\"https:\/\/www.seven.io\/wp-content\/uploads\/2017\/07\/unterschrift-1.png\" class=\"attachment-full size-full\" alt=\"Your sms77 team\" loading=\"lazy\" \/><\/div><\/div><\/div><\/div><\/div><\/div><\/div><\/section><section class=\"l-section wpb_row height_small\"><div class=\"l-section-h i-cf\"><div class=\"g-cols vc_row via_flex valign_top type_default stacking_default\"><div class=\"vc_col-sm-12 wpb_column vc_column_container\"><div class=\"vc_column-inner\"><div class=\"wpb_wrapper\"><div class=\"wpb_text_column\"><div class=\"wpb_wrapper\"><p style=\"text-align: center;\"><em>Header picture filadendron via iStock<\/em><\/p>\n<\/div><\/div><\/div><\/div><\/div><\/div><\/div><\/section>\n","protected":false},"excerpt":{"rendered":"Two or more factors for authentication are standard for many accounts nowadays. 2FA via SMS is also still used a lot. We keep encountering many questions around this topic in our daily lives, especially when it comes to the security of 2FA per. In this post, we&#8217;ll take a look at the most frequently asked...","protected":false},"author":1,"featured_media":89743,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"content-type":"","footnotes":""},"categories":[405],"tags":[419,5518],"class_list":["post-89891","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-privacy-security-en","tag-2fa-en","tag-zweifaktorauthentisierung-en"],"_links":{"self":[{"href":"https:\/\/www.seven.io\/en\/wp-json\/wp\/v2\/posts\/89891","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.seven.io\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.seven.io\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.seven.io\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.seven.io\/en\/wp-json\/wp\/v2\/comments?post=89891"}],"version-history":[{"count":20,"href":"https:\/\/www.seven.io\/en\/wp-json\/wp\/v2\/posts\/89891\/revisions"}],"predecessor-version":[{"id":90022,"href":"https:\/\/www.seven.io\/en\/wp-json\/wp\/v2\/posts\/89891\/revisions\/90022"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.seven.io\/en\/wp-json\/wp\/v2\/media\/89743"}],"wp:attachment":[{"href":"https:\/\/www.seven.io\/en\/wp-json\/wp\/v2\/media?parent=89891"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.seven.io\/en\/wp-json\/wp\/v2\/categories?post=89891"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.seven.io\/en\/wp-json\/wp\/v2\/tags?post=89891"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}