NEVER use SMS for Two Factor Authentication, here’s why.

You all know those SMS codes you receive when trying to log in to some websites. You think that that’s security? Think again.

What is it, and why use Two Factor Authentication?

First things first, what exactly is 2FA, and why is it important? Two-factor authentication (other sites call it two step verification, ‘2SV’) adds an additional layer of security to your online accounts by requiring two independent factors to verify your identity. The first factor is typically something you know, like your password, and the second factor is something you have, such as a code sent to your phone via SMS or generated by an authenticator app.

How do you set up 2FA?

Now, let’s move on to setting up 2FA. One popular authenticator app is Microsoft Authenticator, which offers seamless integration with various services. Let’s use LinkedIn as an example to demonstrate how to set up 2FA using Microsoft Authenticator.

Step one, download the Microsoft Authenticator app from your device’s app store and open it.

Step two, open LinkedIn on your computer and navigate to your account settings. Look for the option to enable two-factor authentication.

LinkedIn account settings, go to ‘Sign in & security’

Step three, select the option to use an authenticator app for 2FA. LinkedIn will provide you with a QR code (if you opened LinkedIn on a PC or Mac) or a special code (‘secret key’)(if you opened it on a mobile device).

Secret key provided by LinkedIn to use in your authenticator app

Step four, go back to the Microsoft Authenticator app on your phone and tap on the plus icon to add an account. Choose the option to scan a QR code and align your phone’s camera with the QR code on your computer screen. Alternatively, choose the option to input a code manually and use the secret key given on your LinkedIn app if you were using a smartphone.

Add an account on Microsoft Authenticator. You can choose ‘other account’

Step five, once the QR code is scanned, the LinkedIn account will be added to your Microsoft Authenticator app. It will start generating time-based codes that you can use for 2FA when logging into LinkedIn.

Time based code generated by the authenticator app for your LinkedIn account

Fantastic! You’ve successfully set up Microsoft Authenticator for 2FA when accessing your LinkedIn account. Keep in mind that other authenticator apps, such as Google Authenticator and Authy, are also widely used and available for both Android and iOS devices.

Why using an authenticator app is superior to SMS codes for 2FA

Now, let’s delve into the reasons why using an authenticator app is superior to relying on SMS for 2FA. There are three main reasons: security, convenience, and device independence.

Security

While SMS-based 2FA is more secure than relying solely on a password, it still has vulnerabilities. Hackers can exploit weaknesses in the SMS infrastructure, as demonstrated by incidents like SIM-swap scams. In such cases, hackers gather information about their target, pose as the account holder, and request a SIM card replacement. By doing so, they gain control over the victim’s phone number and intercept SMS messages containing 2FA codes, bypassing the security measure.

Authenticator apps eliminate this risk by generating codes directly on your device, making it significantly harder for hackers to gain unauthorized access to your accounts.

Convenience

Authenticator apps provide a seamless user experience. Once set up, they generate time-based codes without the need for an active internet connection. Plus, you can store multiple accounts within a single app, eliminating the need to switch between different SMS messages or services.

Device independence

Authenticator apps are tied to your device rather than a specific phone number or carrier. This means you can switch devices without transferring your 2FA setup. If you lose your phone or change your number, simply reinstall the authenticator app on your new device and re-add your accounts.

By opting for an authenticator app, you gain flexibility and freedom while ensuring the security of your online accounts.

So…

Remember, prioritizing your online security is crucial, and by using an authenticator app like Microsoft Authenticator, Google Authenticator, or Authy, you’re taking a significant step towards protecting your valuable accounts.

This article is also available as a video on my Youtube channel