Ask Floh: What SMS 2FA means and why it’s better than nothing
In today’s episode of Ask Floh, we learn about why two-factor authentication (2FA) with SMS is still better than no 2FA at all.
- Authenticator apps and authentication keys were designed for two factor authentication
- SMS might be a convenient way to do 2FA but it wasn’t designed for 2FA and security
- It’s not hard to compromise a phone number and gain access to someone’s SMS for 2FA
- Security is always about cost, 2FA is an extra step an attacker has to overcome
- 2FA using SMS isn’t ideal but it’s better than not using anything
Peerio offers 2FA in the form of two-step verification (2SV). While functionally the same as 2FA, Peerio uses the phrase “two-step verification” instead due to user testing that found the phrase “two step verification” was more easily understood than “two factor authentication” in internally conducted user tests.
With 2SV you need two pieces of identification in order to access your account. Typically, one is a piece of information (e.g. an account key or password) and the other is physical (e.g. a card or device). With Peerio, the first piece is your account key and the second piece is your mobile device. Instead of SMS, in Peerio you will be asked to 2SV using an authenticator app on your mobile device. This authenticator app will display a six-digit code that changes every minute, to ensure that only you will have access to the code.
We recommend using one of the following authenticator apps:
- Authy: Encrypted backup and sync of your accounts across devices, remote device de-activation, PIN-locking, and a desktop app. Provides convenience and security in the event of a stolen or lost device. Not open source. Available for Android and iOS.
- FreeOTP: A free and open-source authenticator. Simple and reliable. Available for Android and iOS.
Even if your account key was somehow compromised, an intruder would not be able to access your account without your mobile device.
Hello and welcome back. This is Ask Floh, and I am here to answer your questions about cyber hygiene. So today’s question comes from Dan in Dallas. And he asks,
“I heard that SMS 2FA is insecure, should I still be using 2FA for my stuff at work?”
Um, that’s a great question. So the very short answer is yes.
The longer answer is about, you know, what is 2FA (two factor authentication)? How does it work? And how can some forms of it be better and worse than others? So, let’s discuss some of the different ways that you can do two factor authentication.
So there’s SMS. There’s also the authenticator app, such as Google Authenticator, or Authy, or there are a few others as well. And that’s the sort of rotating number. And then there’s also a push notification based one, which is very similar. And then additionally, there’s a two factor authentication key, such as a YubiKey, or there are some other types as well. And so the thing about all these things is they’re really designed for the purpose of two factor authentication.
Whereas SMS is just kind of a convenient vehicle that could be used for that. But it’s sort of an afterthought. And so it’s very much not perfect. And the reason for that is that the provider of the of the service, of the security service, is actually not a security company. It’s not someone who has as their main business model, making sure that this channel is secure. So specifically, that’s the telecommunications company. And it’s been proven time and time again, that it is actually not that hard to compromise someone’s phone number, and therefore gain access to their SMS that are meant for two factor authentication.
So that said that still means that someone really has to go the extra mile. Whereas if you don’t have two factor of authentication at all, it’s a lot easier for you to be a victim of a sort of massive breach on a service. And if your password is bad, even more so. So two factor authentication, regardless of the form really provides an extra step that an attacker has to overcome.
And the thing about security is that it’s always about cost. So if for the attacker the cost of having to deal with the telecommunications company is actually just too high for the value of the data that they would be getting, then they’re just going to leave it be, right? So it’s worth it in that sense.
And in practice, there are a lot of reasons why if you’re in a really big company, it is probably impractical for your IT director to roll out an app, especially if people’s phones aren’t controlled by the company. If everyone has their own device and then getting them to install an app is a bit of a pain. And there, you know, there are sort of practical reasons why you might end up with SMS being the most viable solution for two factor authentication. And if that’s the case, still use it. It’s still better than nothing. But if you can then do go for one of the other options. Get a YubiKey. Use Authy or Google Authenticator or one of these other applications that does the job.
Alright, I hope that was helpful. Take care and I will see you next time.
You know what’s better than secure team communication? Nothing. Peerio gives you a super secure way to chat with your team, store and share files, all in one place. Every message and file stored and sent with Peerio is encrypted end-to-end by default. Learn more.