The Dangers of SMS 2FA (and other fancy letters too)

Share on facebook
Share on google
Share on twitter
Share on linkedin
Share on email
Share on print

Two-factor authentication (2FA) is a cybersecurity technique that helps protect your online information. In essence, it requires “two factors” to be provided in order to login to an online service.

A common method of enforcing 2FA is to send a one time code to your cell phone using the Short Message Service (SMS or more commonly, a text message) after you initially log into an online account. You enter the code and, voila! you are granted access to your account. And this is safe, right? Well, maybe not.


The simple fact of the matter is that SMS technology is just not very secure. You see, your phone uses a tiny card, called a SIM card, inserted into your phone to match your phone hardware to your phone number. The problem is that those SIM cards are relatively easy to copy. If an attacker copies your SIM card, they can potentially get all of your phone calls and messages, including the 2FA code sent when they log into your online account.

How dangerous is the threat?  Though certainly a more difficult attack than your average phishing schemes, SIM card spoofing is becoming more prevalent. And as more online accounts move toward 2FA using SMS messaging, SIM spoofing is only going to become more popular.

Despite the growing popularity of SMS 2FA, the National Institute of Standards and Technology (NIST) is dropping SMS as a recommended method for 2FA because of its insecurities. While this doesn’t mean SMS 2FA is going away immediately, it does mean the shift to more secure methods is underway.

So what do I do?

There are easy alternatives. Authentication apps such as Microsoft’s Authenticator, Google’s Authenticator, Duo, and Authy, are all installed applications that more securely provide a 2FA code for logging in to your online accounts. Of course, since you log into these services, they are only as secure as your password. Use strong password hygiene and a password manager to further protect yourself.

Finally, the most important piece is education. Cybersecurity is constantly changing. To stay protected you must stay informed. If you are a business owner, education is even more important. Employees are the weakest link in cybersecurity. Train your employees to recognize attacks and keep your business safe.