Passcodes from SMS or authenticator apps are better than passwords alone, but hackers can exploit their weaknesses.
You’ve probably heard this security advice: protect your accounts by using two-factor authentication. You’ll make life hard for hackers, so the reasoning goes, if you pair a password with a code sent by text message or generated by an app like Google Authenticator.
Here’s the problem: It can be easily bypassed. Just ask Twitter Chief Executive Jack Dorsey. Hackers gained access to Dorsey’s Twitter account using a SIM swap attack that involves fooling a carrier into switching mobile service to a new phone.
Banks, social networks and other online services are moving to two-factor authentication to stem a torrent of hacks and data theft. More than 555 million passwords have been exposed through data breaches. Even if yours isn’t on the list, the fact that so many of us reuse passwords — even alleged hackers themselves — means you’re likely more vulnerable than you think.
Don’t get me wrong. Two-factor authentication is helpful. It’s an important part of a broader approach called multifactor authentication that makes logging in more of a hassle but also makes it vastly more secure. Like the name suggests, the technique relies on combining multiple factors that embody different qualities. For example, a password is something you know and a security key is something you have. A fingerprint or face scan is simply part of you.
Authentication code interception
Code-based two-factor authentication, however, doesn’t improve security as much as you’d hope. That’s because the code is just something you know, like your password, even if it has a short shelf life. If it’s swiped, so is your security.
SIM swapping attacks
Then there’s the SIM swap attack that got Twitter’s Dorsey. A hacker impersonates you, convincing an employee at a carrier like Verizon or AT&T to switch your phone service to the hacker’s phone. Each phone has a discrete chip — a subscriber identity module, or SIM — that identifies it to the network. By moving your account to a hacker’s SIM card, the hacker can read your messages, including all your authentication codes sent by SMS.
Don’t dump two-factor authentication just because it isn’t perfect. It’s still vastly better than a password alone and more resistant to large-scale hack attempts. But definitely consider stronger protections, like hardware security keys, for sensitive accounts. Facebook, Google, Twitter, Dropbox, GitHub, Microsoft and others support that technology today.