Don't Let Two-Factor Text Authentication Lull You Into A False Sense Of Security

Earlier this month, activist DeRay McKesson explained on Twitter that his account had been hacked not because he lacked two-factor authentication—the standard for those who don’t want to get hacked—but because the hackers found a workaround for the text-based system he relied on for security.


According to a new Wired article, this is just one of the ways SMS-based security fails to really protect you—even if you’re not a prime target for faux Trump endorsements.

“SMS is just not the best way to do this,” says security researcher and forensics expert Jonathan Zdziarski. “It’s depending on your mobile phone as a means of authentication [in a way] that can be socially engineered out of your control.”

This sort of IRL subterfuge (duping a service rep [or working in cahoots with a state-owned telecom company, if you’re a government agent looking to snoop]) is only one level of hacking. Relying on text messages for your two-factor authentication (and you are using two-factor authentication, right?) leaves you vulnerable to semi-sophisticated virtual attacks as well.

“SMS has turned that ‘something you have’ into ‘something they sent you,’” says Zdziarski. “If that transaction is happening, it can be intercepted. And that means you’re potentially at some level of risk.”


Dedicated hackers can make use of fake cell towers or systematic weaknesses in the global network that connects phone companies (known as SS7) to digitally nab the code that comprises the second step for supposed secure log-in.

So what’s an appropriately paranoid modern tech-user to do?

Any two-factor verification system that doesn’t rely on SMS messaging is an improvement. Google’s recent update aims to make security more palatable by replacing the six-digit code with a simple “yes” or “no” question—but it’s also much less susceptible to hacks because the code is generated within the phone or app that displays it. Other in-app systems on Facebook and Twitter allow those accounts to be locked behind two-factor authentication without relying on any outside messaging system.


Of course, it’s likely only time until the hackers figure out how to crack these new systems. So you might as well go off the grid now.