In Any Case, You Should Not Use Your Phone Number for Two-Factor Authentication.
You must use two-factor authentication (2FA) for each of your accounts that allow it. You probably already do this for at least some accounts, and it probably pisses you off from time to time. Every time you try to sign in you need to find your phone, check the code they sent you and enter it to continue. However, it’s all worth it in the name of account security, right? Well, sort of. If you use your phone number to log into accounts, you are actually putting yourself at unnecessary risk.
Why 2FA makes your accounts more secure
The problem with passwords is that everyone knows yours. Of course, this is an exaggeration, but password leaks are all too common, and they add up to the billions of known passwords living on the Internet that anyone can find and use . To make matters worse, many of us shy away from the advice to use a strong and unique password for each of our accounts, preferring to reuse the same weak password for “easier” logins. If this password is leaked, all accounts you use it for will be compromised.
2FA fixes this problem by requiring both your password and access to a trusted device in order to authenticate. After you enter the correct password, two-factor authentication will require the appropriate code or device to sign in. Depending on the two-factor authentication method you choose, the system may send you this code (based on SMS), ask you to get the code from an authentication app, or require you to connect to a physical security key to verify your identity.
When you set up 2FA, it doesn’t matter if a hacker steals your password: without access to the 2FA authentication code or device, they’ll be stuck.
SMS-based 2FA is the weakest kind
Any additional form of authentication is better than none. However, SMS is the weakest method available. Phone numbers are simply not a secure form of identification. Attackers can trick network operators into porting your phone number to their SIM card in an attack known as SIM swapping , or pay another company to forward your text messages to their number . In any case, they will receive your 2FA SMS codes and will be able to hack into your accounts without any problems.
This is not only a 2FA issue. Using a phone number as a username for your accounts is also at risk. There are so many recycled phone numbers in this country that there is a good chance you have a number that used to belong to someone else. And if that person has also used that number for the account without changing it, logging in with those numbers can grant you access to their account. This is a big problem for WhatsApp : reports of users losing access to accounts because someone is logged in with their old number.
We can thank Twitter for the updated SMS-based discussion.
SMS 2FA made the news thanks to Elon Musk’s tweet that is dropping the authentication method for free accounts. Starting March 20, only Twitter Blue subscribers will have access to SMS-based 2FA. The app then deactivates SMS 2FA for all customers who continue to greedily receive their $8 from Musk.
Twitter will continue to support other forms of 2FA for free. However, the move is stupid. It’s hard enough to get users to use advanced security practices like 2FA. While some may take the time to set up another form of 2FA, many won’t, meaning a significant portion of Twitter’s user base will be vulnerable on March 20th. It would be wise to encourage your user base to move to the more secure Form 2FA. Since Elon won’t, I’ll do this: Please use the more secure 2FA method.
Instead, you must use authentication apps or security keys for 2FA.
Whether you’re trying to protect your free Twitter account or any other, choosing a different 2FA option when available can increase your security.
The most convenient alternative is to use an authenticator app. A dedicated authentication app, such as Google Authenticator ( iOS | Android ) or Microsoft Authenticator ( iOS | Android ), links your account to a 2FA code that is generated every 30 seconds. When it’s time to sign in, you open the app, check the code, and enter it. This removes the risk of someone remotely hijacking the process, as they would need physical access to the device containing the authenticator app to see the code. Apple even has a built-in authenticator in password managers on iPhone and Mac , so you don’t need to download anything extra to get started.
Another secure variant of 2FA is the security key, which acts as an authenticator app in physical form. If this setting is configured, your account will ask you to connect your device to a security key, either by connecting directly to the device or using a wireless connection such as NFC. This is far less convenient than using a free authenticator, but it provides some serious security for your accounts.
So, let phone numbers be phone numbers and reserve them for calls and text messages. Leave authentication to the professionals and we’ll all be a little safer online.