SMS messages are something of a security disaster. These unencrypted, open-form text messages travel across multiple unsecured networks, from sender to recipient. The system is a throwback to a long-gone era. This is becoming better known when we message one other—thus the rise of encrypted alternatives, WhatsApp, iMessage and Signal. But, ironically, that same SMS system has become the default delivery mechanism for most two-factor authentication (2FA) codes. And that’s not good.
This is an issue for many, many reasons. An SMS is delivered to a phone number without any user authentication—biometric or passcode security measures protect our physical devices, not our numbers, they are separate. This opens us up to SIM-swapping, to social engineering scams to steal those six-digit codes, to malware that captures and exfiltrates screen shots of incoming messages.
For all those reasons, and more, the advice is now to avoid SMS-based 2FA if you can. Now, clearly, SMS is much better than nothing at all. And the token or special key alternatives are a stretch for most people. So, if you can tie 2FA to the biometric or passcode security of a known device, then that’s a vast improvement. Apple does this brilliantly. And Google is fast making this the default as well.
“Starting on July 7,” the tech giant confirmed in a blogpost on June 16, “we will make phone verification prompts the primary 2-Step Verification (2SV) method for all eligible users.” The plan is to switch Google account holders to this setting, preventing the majority simply defaulting to an SMS message or voice call.
There is a downside—all devices a user is logged into will receive the prompt, and that will require some rejigging for families sharing devices. And users who have security keys won’t see a change. If the phone prompt doesn’t work for you, you can escape to an SMS during the verification process—but Google does not recommend this.
Google explains that this shift is both more secure and easier, “as it avoids requiring users to manually enter a code received on another device.” In taking the decision to make this the “primary method” for 2FA, Google says “we hope to help [users] take advantage of the additional security without having to manually change settings—though they can still use other methods of 2-Step Verification if they prefer.”
This is a great step in the right direction and needs to be followed by others. With the increasing use of multi-device access to our various platforms, it is a great idea to use an authenticated device to verify a new logon. Anyone using SMS-based 2FA with an enterprise-based Office 365 account, for example, will know how painful and clunky the process is—there are better ways to handle the problem.