SMS Two Factor Authentication Is Very Unsecure

Photo courtesy of Hacker News

As many in crypto already know, two factor authentication (2FA) essentially requires two modes to log into an account. In this case a username & password, then a six digit code sent via SMS (Short Message Service) or via an app.

Now there is a key difference between these two versions of 2FA. SMS is a lot less secure, as the message can be easily intercepted by anyone willing to put the effort in. It takes a simple google search and wallah, plenty of tutorials on how to intercept a SMS text.

The US National Institute of Standards and Technology (NIST) warned that SMS is a poor way to deliver 2FA. NIST also declared that sending one time passwords to mobile phones is also insecure. If a hacker knows your phone number, which isn't hard to figure out these days with social media and the amount of services that require are phone number. Then all they have to do is tell a service to send the text, intercept it, enter the code, and they're in.

Photo courtesy of MIT News

If a hacker can intercept and subvert SMS texts, a person may never know until it is too late that their account has been breached. And most hackers don't have a hard time finding personal information since a majority of people put their personal info all over the internet, it is now easily accessible via a simple google search of a persons name.

Scores of businesses like Google, Facebook, Twitter, and others use SMS verification as a fall back, which leaves them exposed to being intercepted.

NIST even stated:

"Due to the risk that SMS messages or voice calls may be intercepted or redirected, implementers of new systems should carefully consider alternative authenticators."

Now you ask what are these alternative authenticators?

There are a few, but the common ones seen in crypto are Duo Mobile and Google Authenticator. Both of these offer much more security as they send the code to one place, the app. You can consider this True 2FA and SMS as a very insecure system you should avoid at all cost.

I personally use both Duo Mobile and Google Authenticator, this is partially due to the fact that some exchanges only take one or the other. They both work well, but I prefer Duo Mobile, as it is a cleaner interface and it's codes don't refresh every 30 seconds like Google Authenticator, which can be a hassle when logging in. In Duo, you simply click the key and the code appears, you re-click the key if you need a new code.

Duo Mobile	Google Authenticator

As you can see they are both pretty simple. Click "+" symbol and it allows you to scan or manually add a new code for an account or to change an account.

I highly recommend that you 2FA all your cryptocurrency accounts. If you really want to be safe, you should have a different email for all your cryptocurrency accounts. I even suggest doing it for other accounts whether it be a bank account, school accounts, etc., it is much safer. Along with that never use a password more than once or for multiple accounts; you are a hackers paradise, as once they get one password, it's over.

This even goes for if you used a password five years ago on your Reddit account (for example), and you want to use it on a crytpocurrency account. If Reddit has/had a breach some where in those five years, and hackers get a hold of the data, they will sell it on black markets to other people. Those people will then use the log in info to try to breach other accounts of the user.

I hope this brings everyone up to speed with which 2FA is truly 2FA and which is not. Cybersecurity is something that should not be taken lightly.

If you liked this content, please upvote, comment, share, and resteem it!

Follow me @investoranalysis

Thanks!