Blog > The Dangers of SMS 2FA (and other fancy letters too)

The Dangers of SMS 2FA (and other fancy letters too)

Category: Cyber Security | Date: July 2020

Two-factor authentication (2FA) is a cybersecurity technique that helps protect your online information. In essence, it requires “two factors” to be provided in order to login to an online service.

A common method of enforcing 2FA is to send a one-time code to your cell phone using the Short Message Service (SMS or more commonly, a text message) after you initially log in to an online account. You enter the code and, voila! you are granted access to your account. And this is safe, right? Well, maybe not.


The simple fact of the matter is that SMS technology is just not very secure. You see, your phone uses a tiny card, called a SIM card, inserted into your phone to match your phone hardware to your phone number. The problem is that those SIM cards are relatively easy to copy. If an attacker copies your SIM card, they can potentially get all of your phone calls and messages, including the 2FA code, sent when they log into your online account.

How dangerous is the threat?  Though certainly a more difficult attack than your average phishing schemes, SIM card spoofing is becoming more prevalent. And as more online accounts move toward 2FA using SMS messaging, SIM spoofing is only going to become more popular.

Despite the growing popularity of SMS 2FA, the National Institute of Standards and Technology (NIST) is dropping SMS as a recommended method for 2FA because of its insecurities. While this doesn’t mean SMS 2FA is going away immediately, it does mean the shift to more secure methods is underway.

So what do I do?

There are easy alternatives. Authentication apps such as Microsoft’s Authenticator, Google’s Authenticator, Duo, and Authy, are all installed applications that more securely provide a 2FA code for logging in to your online accounts. Of course, since you log into these services, they are only as secure as your password. Use strong password hygiene and a password manager to further protect yourself.

Finally, the most important piece is education. Cybersecurity is constantly changing. To stay protected you must stay informed. If you are a business owner, education is even more important. Employees are the weakest link in cybersecurity. Train your employees to recognize attacks and keep your business safe.

you may also be interested in

We Have a New Website

Category: Business, Cyber Security, IT Support Services | Date: August 2022

In an effort to bring you the best digital experience and better represent the technology services we have to offer, we created an updated website! On our site, you’ll find...

Read More

Configuring Windows 10 On Your Laptop

Category: Cyber Security | Date: March 2021

If you just bought a new laptop, then it probably has Microsoft’s Windows 10 operating system pre-installed. Windows 10 is packed with some interesting features you can fully maximize by...

Read More

If You’re Experiencing A Ransomware Attack, Try These Online Decryptors

Category: Cyber Security | Date: March 2021

While the threat of ransomware pretty much encompasses all of cyberspace nowadays, not everyone realizes that some ransomware threat responses are readily available for anyone who might need them. Take...

Read More