How to protect your account when SMS is the only 2FA option
Recently there have been a few posts talking about how accounts protected with SMS 2FA were taken over. This is a step-by-step guide to protect accounts that offer only SMS 2FA.
This summer the National Institute of Standards and Technology (NIST), deprecated SMS-based two-factor authentication in their Digital Authentication Guideline. If, like me, you pay attention to security and authentication, that wasn’t very surprising — SMS-based 2FA is weak. Your text messages are always intercepted by your mobile carrier, which means they’re easy to social engineer.
Who cares?
Security researchers have been warning about this kind of attack for as long as anyone’s been using text messages to authenticate. But websites and users have recently adopted it in much greater numbers and there have been a few high-profile breaches in the wild.
First, Black Lives Matter activist, Deray McKesson, had his Twitter account taken over through Verizon. Even though Twitter had enabled app-based 2FA (which isn’t an option anymore), they always fell back on SMS.
Then, Coinbase was attacked by someone who was able to take over an employee’s phone. The attacker was able to take over several personal accounts, including Facebook, and send messages to the CEO and other employees asking them to transfer Bitcoin and reset passwords.
Harden SMS when it’s your only 2FA option
You should always opt for U2F or TOTP-based 2FA. For websites that don’t support them, avoid using your carrier-based phone number for 2FA.
Here’s how to harden SMS when it’s your only 2FA option:
- Set up a new Google account, NOT the one you use for email or anything else, and make sure you turn on TOTP or push-notification 2FA for this account.
- Create a Google Voice number on this new account, and use that number to receive your two-factor authentication codes.
- DO NOT forward the codes to your normal phone number or email address. Instead, you should download the Google Voice app for your phone and use that to receive the messages (on iOS the app is super old and ugly, but we don’t need it to be pretty).
You could also set up a number up with Twilio or Tropo, but neither supports TOTP or U2F. I’ve tried a half dozen other SMS-receiving apps outside of Google Authenticator, but none of them support two-factor auth at all.
Conclusions and disclaimer
Despite its flaws, SMS-based two-factor authentication is still better than passwords alone, and it probably isn’t going anywhere soon. You should always opt for two-factor auth based on the new U2F standard or even the older TOTP standard whenever you can, but if you need to harden the security on an account that only offers SMS protection, this is a great way to do it.
B is the CEO and co-founder at Clef. If two-factor authentication has been in your backlog for months, but still hasn’t gotten prioritized, check out Clef’s new product Instant2FA.com — it’s two-factor authentication that takes minutes to integrate instead of weeks.
