Two-factor authentication is a critical security measure in today’s digital world. As hacker creativity increases, so does the need for securing your online accounts. That is why many sites encourage – or require – confirmation that you are, in fact, you: two-factor authentication (2FA). The most common form of 2FA is for the site to send a text to your mobile phone or email with a code you enter on the site.
While nothing is 100%, all of us at Cantrell’s IT are big fans of 2FA. The idea of requiring something you know (your password) and something you have (your phone) to access your data just seems like a wise extra step to us because it makes hacking much harder for the cybercriminals. After all, while passwords can be hacked, if you have your phone, you’re safe, right?
Maybe not.
Old Technology
Text messages use short message service (SMS), an old technology that was never intended to be secure. Here are some things to keep in mind:
- Your cellular provider keeps your text messages. They generally keep the message itself for only a few days; however, the date, time, and phone numbers involved are saved for much longer and are subject to subpoena.
- Most governments can monitor SMS messages.
In the case of 2FA, these might not seem to be a problem. An authorization code usually expires within a few minutes, so having it saved by your carrier is probably not an issue. And if your records are being subpoenaed or a government is actively monitoring your SMS messages, it is not to access an account confirmation code (and we suggest you find a very good lawyer).
However, there is another reason SMS is not good for 2FA:
- A text message is not encrypted during transmission, which means that anyone with enough technical know-how can intercept and read it.
A text message security code became common for verification not because it uses secure technology but because just about everyone has a cellular phone – assuming someone hasn’t stolen your number.
Have You Heard of SIM Swapping?
It turns out that being in possession of your phone does not guarantee that you will receive a verification text message. The bad guys are getting better at convincing carriers to port phone numbers to different SIM cards.
Basically, they take control of your phone, redirecting calls and texts to their own device. Now they control the ability to confirm your identity because they receive your text messages – including those with an authentication code.
Every account – banking, shopping, social media – that connects to your phone number is now at risk.
You can suspect a SIM swap if you suddenly lose the ability to make/receive calls and texts. If you then discover that you are locked out of your account you need to go into a storefront for your carrier and prove you, not the person who has stolen your number, are you.
If Not Text, What?
We recommend other 2FA methods that are more secure than text messaging. There are applications called authenticators that you can use for the second part of 2FA. While primarily for phones, there are desktop applications as well. The difference between an application on your phone that asks for confirmation and receiving a text message with a confirmation code is that the application is linked to the device, not your phone number. Authy and Microsoft Authenticator are two good examples of authenticators.
Another 2FA method is the use of security keys. These are physical devices that you plug into your computer or connect to your phone via Bluetooth or NFC (near field communication). Examples include YubiKey and Google Titan Security Key. This is one of the most secure methods because even if a hacker gets your username and password, they still can’t access your account without the physical security key.
While SIM swapping is becoming more problematic, any form of 2FA (including text messages) greatly increases the security of your accounts and data over not using 2FA at all.
Feeling Confused?
We understand. I remember rotary phones. They worked great until they didn’t – technology moved forward.
Part of what Cantrell’s IT offers is education and training on these topics. We can help you and your employees implement security steps, such as 2FA using authenticator apps, to improve the security of your critical business data. We also offer services for monitoring and emergency response planning for when the bad guys are just more determined than any security measure.
Before you need it is the best time to install data security measures, call Cantrell’s IT to secure your business.