For Two-Factor Authentication, Choose Apps Over Phone Number-Based Methods
The most common forms of two-factor authentication (2FA) are SMS text messages and apps which generate codes which change every 30 or 60 seconds or so. To many, these choices might seem negligible. You are just essentially opening an app (either the “texting” app or the authenticator app) to get a 6 digit code whenever prompted. To the end-user, this probably feels like it is basically the same experience. I feel very strongly that authenticator apps are much safer and more secure than SMS-based text messages for 2FA. Let’s take a look at a few reasons why that is the case.
Apps Don’t Expose Your Phone Number
The latest privacy and security nightmare at Facebook is a reminder that tech companies don’t always use your data in the way they claim they will when they request it. The Electronic Frontier Foundation has a great write-up in their article, “You Gave Facebook Your Number For Security. They Used It For Ads“. The title sums up what Facebook and many other tech companies do… once they have your data on file for one reason (such as security) they may turn around and sell it to advertisers. In the case of a phone number, this means more spam phone calls.
Phone Numbers Are Only As Secure As Their Service Providers
Social engineering attacks against high-profile individual commonly involve their wireless carrier. For example, cryptocurrency investor and co-founder of angel group “BitAngels” has filed a lawsuit against AT&T for $224 million after what he claims was, “AT&T’s willing cooperation with the hacker, gross negligence, violation of its statutory duties, and failure to adhere to its commitments in its Privacy Policy”. After the attacker gained access to the phone, he was able to steal roughly $24 million worth of cryptocurrency.
Phones connected to wireless carriers have an inherent liability that authenticator apps do not have. The potential for an employee of your carrier to intentionally or accidentally expose your account to an attacker impersonating you or stealing your identity is a concern. It might not be something that the average person worries a great deal about, however the greater someone’s profile, the more that it should factor into their decision making when it comes to their digital security. Celebrities, political figures, and certainly C-Suite leaders at any organization should start to think of themselves as potential targets of this kind of attack and take relevant precautions.
What Should You Use?
There are several good, reliable options out there for authenticator apps so that you can replace the use of SMS text-based authentication wherever possible.
Google Authenticator
Google’s App has been a staple of this space for a long time. It is simple, clean, and easy to use. It is also available cross-platform.
Authy
If you aren’t comfortable using a Google product for any reason then Authy is a great option. It is another beautiful app that will work on Android and iOS devices and should be compatible with all of the same apps and service’s that Google’s authenticator is.
Best Possible Option: Physical Authentication Keys
If you are really serious about security, then consider going a step further and acquire a physical authenticator key. The first to gain major popularity were the “Yubikey” made by Yubico. They were so successful at Google that Google claimed that they had eliminated employee account takeovers for accounts protected solely with Yubikeys.
Google now also makes their own version of the security key known as the “Google Titan Security Key“. Both Google and Yubico’s products retail for about $50.
