It’s Time to Stop Using SMS and 2FA Apps for Two-Factor Authentication

Dan Price 15-02-2018

These days, it seems every website you ever visit tries to encourage you to use two-factor authentication (2FA).


One of the most common ways to use 2FA is to input a unique code from your mobile device. Typically, you receive the code in a text message or you use a third-party 2FA app to generate one.

The two methods are both popular ways to use codes due to their convenience. However, both methods are also weak from a security standpoint. And because your 2FA code is only as secure as the technology used to deliver it, the weaknesses are important.

So, what’s wrong with using SMS and third-party apps to access your codes What Are Passwordless Logins? Are They Actually Secure? Passwordless logins are coming. Are they secure? How on earth do passwordless logins work? Here's what you need to know. Read More ? And is there an equally convenient alternative that’s more secure? We’re going to explain everything. Keep reading to find out more.

How Two-Factor Authentication Works

Let’s take a moment to discuss how two-factor authentication works. Without understanding the mechanics behind the technology, the rest of this article will not make a lot of sense.

In broad terms, 2FA adds an extra layer of security to your account How to Secure Your Accounts With 2FA: Gmail, Outlook, and More Can two-factor authentication help to secure your email and social networks? Here's what you need to know to get secure online. Read More . Also known as multi-factor authentication, login credentials consist not only of a password, but also of a second piece of information that only the account’s legitimate owner has access to.


2FA comes in lots of different forms The Pros and Cons of Two-Factor Authentication Types and Methods Here are the pros and cons of two-factor authentication methods to see which is the best for you. Read More . At its most basic level, it could be something as simple as security questions (because no one else could possibly know your mother’s maiden name Why You're Answering Password Security Questions Wrong How do you answer online account security questions? Honest answers? Unfortunately, your honesty could create a chink in your online armor. Let's take a look at how to safely answer security questions. Read More or your favorite pet). At the more complicated end, it could be a biometric ID such as a retina scan or a fingerprint.

Why You Should Avoid SMS Verification

SMS enjoys a position as the most accessible way to access and use 2FA codes. If a site offers two-factor authentication logins, it almost certainly offers SMS as one of the options.

But SMS isn’t a secure way to use 2FA. It has two key vulnerabilities.

Firstly, the technology is susceptible to SIM Swap attacks. It doesn’t take much for a hacker to perform a SIM Swap. If they have access to one other personal piece of information—like your social security number—they can call your carrier and move your number to a new SIM card.


Secondly, hackers can intercept SMS messages. It all comes back to the now-dated Signaling System No. 7 (SS7) phone routing system. The methodology was designed back in 1975 but is still used almost globally to connect and disconnect calls. It also handles number translations, prepaid billing, and crucially, SMS messages.

Unsurprisingly, this technology from 1975 is full of security holes. Here’s how security expert Bruce Schneier described the flaws:

“If the attackers have access to an SS7 portal, they can forward your conversations to an online recording device and reroute the call to its intended destination […] It means a well-equipped criminal could grab your verification messages and use them before you’ve even seen them.”

Of course, discovering that a cyber-criminal has hacked your Facebook How to Find Out If Your Facebook Account Has Been Hacked With Facebook harboring so much data, you need to keep your account safe. Here's how to find out if your Facebook has been hacked. Read More account is far from ideal. But the situation is scarier when you consider other the uses of 2FA. A cyber-criminal could steal codes you use in your online banking, or even initiate and complete money transfers The 6 Best Apps to Send Money to Friends Next time you need to send money to friends, check out these great mobile apps to send money to anyone in minutes. Read More .

Furthermore, Schneier also claims anyone can purchase access to the SS7 network for around $1,000. Once they have access, they can send a routing request. To complete the problem, the network may not authenticate the source of the request.


Remember, using two-factor authentication via SMS is better than leaving 2FA disabled. And it’s probably unlikely that you will become a victim. However, if you’re starting to feel a bit concerned, you need to keep reading. Many people accept that SMS is insecure and turn to third-party apps instead.

But that may not be much better.

Why You Should Avoid 2FA Apps

The other common way to use 2FA codes is to install a dedicated smartphone app. There are lots to choose from. Google Authenticator is arguably the most recognizable, but it’s not necessarily the best. There are lots of alternatives out there—check out Authy, Authenticator Plus, and Duo.

But how secure are specialist 2FA apps? Their biggest weakness is their reliance on a secret key.


Let’s take a step back for a second. In case you’re not aware, when you sign up for many of the apps for the first time, you’ll need to enter a secret key. The secret is shared between you and the app’s provider.

When you access a site, the code the app creates is based on a combination of your key and the current time. At the same moment, the server is generating a code using the same information. The two codes need to match for access to be granted. Sounds sensible.

So why are keys the weak point? Well, what happens if a cyber-criminal manages to gain access to a company’s password and secrets database? Every account would be vulnerable—the attacker could come and go How to Check if Someone Else Is Accessing Your Facebook Account It's both sinister and worrisome if is someone has access to your Facebook account without your knowledge. Here's how to know if you've been breached. Read More at will.

Secondly, the secret is either displayed in plain text or as a QR code; it cannot be hashed or used with a salt What All This MD5 Hash Stuff Actually Means [Technology Explained] Here's a full run-down of MD5, hashing and a small overview of computers and cryptography. Read More . It’s probably also in plain text on the company’s servers.

The secret key is the fundamental flaw in the Time-Based One-Time Password (TOTP) that specialist apps use. It’s why a physical U2F key is always a more secure option.

Flaws in Design and Security for 2FA Apps

Of course, the chances of a cyber-criminal hacking a third-party app’s necessary databases are fairly small. But your app could also suffer from basic security flaws in its design.

Popular password manager LastPass 8 Easy Ways to Supercharge Your LastPass Security You might be using LastPass to manage your many online passwords, but are you using it right? Here are eight steps you can take to make your LastPass account even more secure. Read More fell victim in December 2017. A programmer’s blog post on Medium revealed 2FA secret keys could be accessed without a fingerprint, password, or other security measures.

The workaround wasn’t even complicated. By accessing the LastPass Authenticator app’s settings activity (com.lastpass.authenticator.activities.SettingsActivity), one could enter the settings pane for the app without any checks. From there, you could press Back once to access all the 2FA codes.

LastPass has now fixed the flaw, but questions remain. According to the programmer, he had tried to tell LastPass about the issue for seven months, but the company never fixed it. How many other third-party 2FA apps are insecure? And how many unfixed vulnerabilities do the developers know about but delay patching? There are also concerns when it comes to losing access to your code generator on Facebook How to Log Into Facebook If You Lost Access to Code Generator Lost access to Facebook's code generator? This article covers alternative methods for logging into your Facebook account. Read More for instance.

What to Do Instead: Use U2F Keys

Instead of relying on SMS and 2FA for your codes, you should use Universal 2nd Factor keys What Are U2F Keys and Where Are They Supported? U2F keys are one of the best ways to keep your accounts safe and secure. But where are U2F keys supported? Read More  (U2F). They are the most secure way of generating codes and accessing your services.

Widely considered to be a second-generation version of 2FA, it both simplifies and strengthens the current protocol. Additionally, using U2F keys is almost as convenient as opening an SMS message or third-party app.

U2F keys use either an NFC or USB connection. When you connect your device to an account for the first time, it will generate a random number called a “Nonce.” The Nonce is hashed with the site’s domain name to create a unique code.

Fido certified U2F key

Thereafter, you can deploy your U2F key by connecting it to your device and waiting for the service to recognize it.

So, what’s the downside? Well, even though U2F is an open standard, it still costs money to buy a physical U2F key. And perhaps more concerning, you’re at risk from theft.

A stolen U2F key doesn’t automatically make your account insecure; a hacker would still need to know your password. But in a public area, a thief might have already seen you enter your password from afar, prior to stealing your possessions.

U2F Keys Can Be Pricey

Prices vary considerably between manufacturers, but you can expect to pay between about $15 and $50.

Ideally, you want to purchase a model that’s “FIDO Certified.” The FIDO (Fast IDentity Online) Alliance is responsible for achieving interoperability between authentication technologies. Members include everyone from Google and Microsoft, to Bank of America and MasterCard.

By buying a FIDO device, you can be sure you U2F key will work with all the services you use every day. Check out the DIGIPASS SecureClick U2F key if you’d like to purchase one.

Digipass SecureClick FIDO U2F Security Key Digipass SecureClick FIDO U2F Security Key Buy Now On Amazon

Insecure 2FA Is Still Better Than No 2FA

To summarize, Universal 2nd Factor keys provide a happy medium between ease-of-use and security. SMS is the least secure approach, but it also the most convenient.

And remember, any 2FA is better than no 2FA. Yes, it might take you an extra 10 seconds to log into certain apps, but it’s better than sacrificing your security.

Related topics: Online Security, Two-Factor Authentication.

Affiliate Disclosure: By buying the products we recommend, you help keep the site alive. Read more.

Whatsapp Pinterest

Leave a Reply

Your email address will not be published. Required fields are marked *

  1. Matthew Nichols
    November 5, 2019 at 10:14 pm

    I don't really buy the arguments around the insecurities in 2FA apps. The most popular one, Google Authenticator, doesn't store any data/secrets in the cloud--they are all local to the device. In terms of server-side insecurities of the first-party site, I'm not sure why you think the secret will likely be stored in plain text? There's no reason for it to not be encrypted, and simply decrypted in memory when needed.

    Yes, a hardware key is still more secure (the private key is never revealed, it's stored somewhat more securely, and domain verification is used), but I think 2FA apps are more secure than you portray them.

  2. Karen
    July 29, 2019 at 8:47 pm

    Some web sites and apps offer the option to use either a TOTP code or an SMS for all transactions. So even if a user decides that using TOPT is more secure and uses it, as long as the SMS option is available, hackers who can access the SMS' will pick that option when hacking into an account. In order for a web site to be secure, then they would have to offer users the option of shutting down SMS or TOPT options.

  3. andy shirey
    February 18, 2019 at 5:52 pm

    The best security solutions are the ones that get used. For the broadest set of users 2FA delivered via SMS is the most easy to set up and convenient to use thus it actually gets used and is significantly safer than a password alone. If you have high security concerns or paranoia then others solutions are available. It's a bit irresponsible to suggest that people shouldn't use SMS for added security.

  4. Richard
    September 20, 2018 at 1:44 pm

    Over the years, the 2FA applications are no longer as secure as it used to be. And it's not because of vulnerabilities. It's just because the number of malware for mobile devices has increased drastically. A large number of viruses are specially designed to intercept one-time passwords.

    Maybe I'm too obsessed with security, but I always protect all important accounts with hardware tokens. For Google, I ordered Protectimus Slim mini. It's designed to replace Google Authenticator. And it's a standalone device which works without internet, GSM, USB, etc. So there is no a single chance to infect it with the malware.

    There are so many free authentication apps on Google Play now, though Google Authenticator remains the most popular one. And it's clear why: this app is free, easy to use a, can be installed on any existing device possible, there is no need to purchase or install anything in addition. And the most important advantage is that Google Authenticator is offered on almost all websites that have 2FA by default, of course. I use Google Auth for facebook and similar services where there is no money or documents. But when it comes to any account in payment system of Google Drive for exaple, for me it's better to pay $30 for hardware security token and be sure that I'm 100% protected.

    Hope I didn't bore you with such a long comment.

  5. William Conor
    September 19, 2018 at 3:56 pm

    NIST, the National Institute of Standards and Technology issued guidance that found SMS insecure and no longer suitable as a strong authentication mechanism...

    I am using WebADM from RCDevs Multi-Factor Authentication with Hardware Token (U2F) and Hardware Security Modules (HSM) in order to comply with the highest security requirements...

    This Security Solution is like a Swiss Army Knife. So many features, just have a look at it.

    It is even free up to 40 users.

  6. Ashton
    July 21, 2018 at 2:32 pm

    I mostly agree, but..

    There's not enough suport ;/
    Also.. I still don't see even one way of getting around in case you lose your key..

    That is, imagine situation, you use your password manager, and yubikey for two factor auth on your cellphone...
    You get robbed.
    If you only lose your phone yourse but if you lose both ? Sure if you have extra password you'll have time to disable access but can you access and recover your passwords?

    Second option - you lose your key... how the hell do you access your stuff now ?

    Perfect option would be to have 2 keys, 1 secure you keep safe, 2nd less secure you use to acces, and in case you lose access you can always recover your passwords, account and disable previous one.

    Yeah I'm paranoid, but i still wonder why nobody is trying to make it real daily life robbery secure or secure it from losing.

    Yubikey etc are good idea but imo still not enough to upgrade.

  7. J.M. Hardin
    June 10, 2018 at 11:04 pm

    How do you use a U2F key on a mobile phone? That's where I'd need it most.