Say NO to SMS-based Multi-Factor Authentication
One of the advices I give to people when it comes to security and keeping your online data private is to enable multi-factor authentication (MFA)on the services that they use, e.g., Google Mail, Facebook, Twitter, among others. This, in conjunction with using VPNs when connecting to the internet using public WiFi, and using password managers, like 1Password, so you have a catalog of username-password pairs with unique, long and complex passwords, provide an added level of complexity against hackers.
Mind you, if hackers target you, there is very little you can do—the most is to minimize the data that they can get, minimize the damage, so to speak.
Multi-factor authentication, either via 2-Step or 2-Factor authentication, provides an added layer when accessing services. One is something you know (password), and the other factor is something you have (a mobile phone or a physical random key generator). With MFA enabled, after you enter your username and password pair, it will prompt you with another password or PIN to enter—and without the mobile phone or the key generator, there is very little chance of generating one. True that there is also an added layer of inconvenience, but this is the price of making your account more secure.
The “something you have” part of MFA is often the mobile phone, as it is the most common device that users have. Implementing this factor or step is done in two (2) ways: either via SMS, or an app.
Using SMS, after you enter your username and password, the service will send you an SMS with the PIN or passcode on the mobile phone number that you have pre-registered. Using the app, you simply need to run the app and check the generated PIN or passcode. In both cases, the PIN or passcode is time-bound.
Here’s where the flaw is—first of all, if someone manages to get hold of your phone, and it is not properly secured via a passcode, then that is it, game over. The flaw is the SMS-based implementation. Well, to put it more accurately, the flaw lies with the mobile phone provider’s employees who handle customer relations.
Why is this so? I have heard of instances where these employees provide a SIM card replacement to unauthorized persons without vetting them properly. The current verification process is made useless, thanks to the COMELEC data leak.
Yes, more often than not, your address or mother’s maiden name is used to validate your identity. So, when someone gets hold of your SIM card replacement, all your SMS-based multi-factor authentication is rendered useless! Mind you, this is the same as sending the PIN or passcode via e-mail, specially when your e-mail service has no support for MFA.
Apple uses push notifications for its second factor. Google’s GMail supports both SMS-based and an app-based system.
However, Google will soon be slowly pushing users using SMS-based authentication to the more secure app-based system.
Like Google, Twitter supports both, but with both enabled at the same time—I have yet to find a way to disable the SMS-based and just use the app-based system.
There are PIN/passcode generators on the App Store, e.g., Google’s Authenticator or Authy. In my case, 1Password has built-in support for this feature, so no additional app to install and manage.
To sum up, you must enable multifactor authentication on all services that you use that supports it. The added inconvenience is very well worth the peace of mind of having a more secure account. If given a choice, do not use SMS-based or e-mail-based secondary authentication.