The Importance of Authorization
When it comes to authorization, you want to feel confident that only you have the ability to access your information and your accounts. A simple username and password combo is no longer enough to keep criminals out of your accounts and protect against account takeover fraud and identity theft.
How SMS Two Factor Authentication Works
With SMS two-factor authentication, a secondary one-time password is sent via text. In order for SMS two-factor authentication to work, the following elements are required:
- Possession of a device or mobile phone
- A PIN and/or passcode or a retina or fingerprint to get into the device
- A username and password to access an online account
- A one-time SMS password sent via the website
All of this needs to be provided in order to gain access to a critical account, which has proven to be sufficient for most users.
This means that a hacker would require access to the device, the PIN and/or password, username/password and one-time password in order to retrieve the information they are looking for. This would be considerably more difficult than only needing just the online account password, which are often repurposed for multiple accounts and exposed in data breaches. In essence, this reduces the probability that someone will be able to not only hack your password but then hack your device to retrieve the PIN.
How Are Hackers Circumventing SMS Two Factor Authentication?
Man in the middle attacks:
- Hacker gets ahold of your username and password.
- Hacker tries to log in and gets denied because of SMS two-factor authentication.
- Hacker contacts you via phone, email or social media with a ruse requesting your one-time password.
- Hacker actually poses as you at a cell phone carrier’s brick and mortar store and gets a phone with your phone number.
Changing preregistered phone number:
- Hacker contacts/socially engineers a website that you have set up with SMS two-factor authentication and they allow the hacker to make a change in the registered mobile number.
Increase in Confidence Among Users
When using the SMS two-factor authentication, you do not have to be concerned if your password falls into the wrong hands because the criminal still needs your one-time password to get in. Companies who advertise this benefit have more chances of boosting their customer’s confidence and acquiring more interest in their products and services with this added security.
So, should you abandon two-factor authentication for SMS? Not if you want to have an extra layer of protection. But as you can see, SMS two-factor authentication is not foolproof. Over time, we will see more vulnerabilities and we will also see banks and other organizations use additional measures of protection meant to protect us.
*Originally posted August 25, 2016. Update June 22, 2021.*