SECURITY: SMS is not a good 2FA (Second Factor Authentication)

Saturday, May 10, 2025

https://www.makeuseof.com/security-apps-protect-your-data/?utm_medium=newsletter&utm_campaign=MUO-202505090800&utm_source=MUO-NL&user=cmVpbmtlZmpAZ21haWwuY29t&lctg=7e6c3cd411d6a815afa18582d54bd455914c43c5f69df1448b8ec20ee4959f71

Install These 5 Security Apps Now to Protect Your Data
Jowi Morales

<< EDITOR ADDED DATE 2025-05-07>>

*** begin quote ***

Authenticator

Usernames and passwords are no longer as secure as you might think; that’s why you should switch to two-factor authentication (2FA)to help secure your online access. You can easily set this up on most accounts, including your accounts on Google, Meta, and more, ensuring that any potential hacker who has compromised your username and password combination still needs a one-time password to gain access.

However, we don’t recommend using SMS for your 2FA code because of its many disadvantages. For example, if you’ve been specifically targeted by personal identity thieves, they can trick your mobile provider into transferring your number to a SIM card that they have (called SIM swap), meaning they will receive your OTP codes on their device. Furthermore, SMS messages can be intercepted, meaning someone targeting you can easily steal your OTPs even if you did not lose access to your SIM card. And if you lose your phone signal (or your service provider runs into problems), you won’t get your codes and will be unable to access your accounts.

*** end quote ***

Personally, I use Google Authenticator. But I have AUTHY, LASTPASS, and BITWARDEN. Can’t say I prefer one over another, but given how stuff gets “deprecated” (i.e., abandoned), I’m ready to switch.

I have a running debate with my bank about their use of SMS.  So far, I’m losing but I’m still nagging.

Argh!

—30—

Leave a Comment » | SECURITY | Tagged: , , | Permalink
Posted by reinkefj

RANT: CSFB stupid “security theater”

Wednesday, February 15, 2012

OBVIOUS STUPIDITY!

Call up to find out where my pension check is.

Called, went through all the automated questions, and then the operator comes on after a short wait and asks me for my password.

What password?

(Ignores the concept that a “password” is a shared secret. If I knew and told her, then it’s no longer a secret. And, a static password! Please. Even Google two factor authentication is better.)

So we can do anything without them mailing me a new temporary password.

Now envision that I sent them in all my paperwork by certified mail and suggest that number as an authenticator. Or that they call me back. Or that they send me a fax or an email.

Argh!

And, who says that US Mail is secure, unless it’s sent certified mail. (We know they won’t do that because it costs more.)

# – # – # – # – #  2012-Feb-15 @ 13:32

 

 

Leave a Comment » | Ranting | Tagged: , , , , | Permalink
Posted by reinkefj