The FBI is Warning Against Using Text-Based Two-Factor Authentication. Here’s What You Need To Know and What You Can Do About It.
In light of recent cybersecurity concerns, the FBI and the Cybersecurity and Infrastructure Security Agency (CISA) have advised against using SMS-based two-factor authentication (2FA) where possible due to its insecure nature and how hackers can exploit it.
This is a story from News Nation in the US. I often don't understand why the news covers stuff like this. Reporters and anchors can cover regular news stories just fine most of the time, but with this, it's the blind leading the blind and it's clear they have no clue what they're talking about beyond the words "SMS", or "WhatsApp". Not even their supposed expert comes across coherently with the editing, and given he can't properly explain what he's talking about in the time they give him.
People are just going to think "What? What does a password manager have to do with this?" or "How do I use WhatsApp or Signal to receive a Two-Factor code?". The latter question is that you can't, so I don't know why it's mentioned.
So, let's break this down...
What’s Wrong with SMS-Based 2FA?
SMS messages are not encrypted, making them susceptible to interception by cybercriminals, though it's usually targeted.
Additionally, SIM-swapping attacks—where attackers convince mobile carriers to transfer a victim's phone number to a new SIM card—allow hackers to receive 2FA codes and gain unauthorized access to accounts.
Interception of Messages
When a 2FA code is sent to your phone, it’s essentially out in the open. Hackers *could* exploit vulnerabilities in telecom systems, to intercept these messages. Text messages weren't designed with today’s cyber threats in mind, making it a weak link in securing your accounts.
SIM Swapping Attacks
Here’s a frightening scenario: A hacker impersonates you and convinces your mobile carrier to transfer your phone number to their SIM card. Once that happens, they can receive every text meant for you, including 2FA codes. This is called SIM Swapping. Now they can access your accounts, even if you have extra security measures. This type of attack doesn’t require fancy tech—just some social engineering skills to manipulate the rep they're talking to.
Phishing Vulnerabilities
SMS-based 2FA is also a big target for phishing attacks. Cybercriminals send fake text messages that look official, tricking you into sharing your 2FA code or logging into a fake site.
For instance, you might receive a message that says, “Suspicious login detected. Please confirm your account here,” followed by a link. If you’re not careful, you could hand over your credentials without even realizing it. The lack of verification in SMS messages makes it easy for attackers to mimic legitimate senders.
Reliability Issues
Even when hackers aren’t involved, SMS 2FA can fail you. Text messages can be delayed or blocked, especially if you’re traveling internationally, dealing with a network issue, or in an area poorly served by cellular service.
Imagine being locked out of an important account because your 2FA code didn’t arrive on time. This kind of reliability problem is another reason SMS isn’t the most trustworthy option for critical security measures.
Each of these points highlights why SMS-based 2FA isn't ideal. Considering these vulnerabilities, exploring alternatives like authenticator apps or hardware security keys are preferred.
Safer Alternatives to SMS-Based 2FA
1. Authenticator Apps: Applications like Authy generate secure one-time codes on your device that you can manually enter on the device you want to login to a website with, providing a more secure method for 2FA. However, not all websites offer 2FA via an app on your phone.
App-based 2FA one-time codes are automatically set on a 24/7 timer initially synced to the website for each account, typically when the unique QR code is scanned. They don't require an internet connection or cellular signal to work.
2. Hardware Security Keys: Physical devices such as YubiKeys offer robust security by requiring physical possession to access accounts, but they're not free.
3. Encrypted Messaging Apps: These are mentioned in the news story, but they don't apply to what we're talking about.
Using platforms like Signal or WhatsApp for sensitive communications ensures that messages are encrypted, reducing the risk of interception. Both are fantastic. However, they can't receive 2FA one-time codes (app or text-based). These apps are designed to secure regular conversations to improve privacy and security.
What If SMS Is Your Only Option?
If a service only offers SMS-based 2FA, consider the following precautions:
- Use Strong, Unique Passwords: Employ complex passwords for each account to mitigate potential breaches. If you can remember a password, it's NOT secure or worth using. THIS is where Password Managers come in. They can generate a 2FA code, but only in the sense of an app on your phone, not to receive a 2FA code from a website. I strongly recommend 1Password or Bit Warden.
- Enable Account Alerts: Activate notifications for suspicious login attempts to respond promptly to unauthorized access.
- Be Vigilant Against Phishing Scams: To prevent credential theft, Avoid clicking on unsolicited links in text messages from numbers you don't recognize pretending to be UPS, FedEx, etc. Check on a package by checking your email or shipping receipt, and looking up the tracking number on the official company's website.
Adopting these practices can enhance your online security and protect your personal information from potential threats.
Thank you so much for reading this blog post! You can keep up to date with my latest posts right here on KevinTheTechGuy.ca, or via the RSS feed. You can also check out my FREE newsletter. For bonus content and other perks, please consider supporting me on Patreon or Buy Me a Coffee! Your support makes my work possible.