All over the world banks, and other companies in all industries have turned to 2-step verification to secure your online accounts. While 2-step verification is a great way to secure your online accounts, SMS isn’t a secure 2 step verification technique. 

There are many 2 step verification techniques available, but the one you should never pick is SMS, receiving a code through text message.

In this article, we will go over why you should avoid using SMS 2 step verification, and instead use other 2 step verification techniques like an app or biometric verification.

What Is Two-Step Verification?

2 Step Verification, also sometimes called 2-factor authentication (2FA), is a method that many online companies use to secure their online accounts. You might’ve seen two-step verification on your Google, Amazon, Apple, and Facebook accounts whenever you log in from a new location. 

Instead of only entering your email address and password to log in, two-step verification will also require you to do another step before you can access your account. This can be something like pushing a button in an app, typing a code sent to your email address, receiving a text message on your phone, or even a biometric scan. 

Using 2-step verification means that someone trying to access your account would need both your password and whichever method of 2-step verification you use. 

But Why Is SMS So Bad For 2-Step Verification

Receiving two-factor authentication codes through text message, SMS, is by far the least secure method of securing your online accounts. Several times hackers have managed to trick phone service providers into performing a SIM swap, the process of migrating a phone number to a different device. 

All they need to convince phone providers that they are you is your phone number and any small information about you. Banks and other large companies often have data breaches and their client’s information can get publicly leaked. With some social engineering, hackers can trick phone companies into redirecting your SMS information to their own devices, giving them full access to your online accounts. 

Once they can redirect your SMS messages, they don’t need your phone and can sometimes even bypass your password to access your online accounts. 

If they are serious about targeting you, they can even spy on your phone calls and intercept any text messages you receive, as well as access your phone’s geolocation. 

So What Should You Use Instead of SMS

Authentication apps are a great way to secure your online accounts with very little effort. Unlike SMS messages, access codes are confined to a specific app, meaning hackers can’t just redirect your code to their own device. 

Additionally, 2-step verification codes tend to expire quickly, usually within a 30-minute window. To add to the convenience of using an app, some only require you to press a button instead of typing out a several character access code. 

Why Do You Even Need 2-Step Verification

If the most commonly used method of 2-step verification is so vulnerable to hacking, what is the point of even setting up 2-factor authentication? 

While SMS is very weak and susceptible to exploits, other methods of 2-step verification are much more secure and reliable for protecting your online accounts. Without 2-step verification, a hacker would only need to guess your password to access your account.

Using only 1-step verification, just a password, leaves your account susceptible to brute force dictionary attacks where a hacker can keep guessing your password until it gets it right. 

We’ve written a whole article about why you should also use password management systems and how long it takes for a computer to guess your password here.

Just having a long password is not enough anymore, two-step verification is necessary for securing your data.

What We Recommend To Secure Your Data

There are tools like Google’s Authenticator that will require you to install the app on your smartphone. You will have to set it up on every site you want to use it. To log into a website that uses Google Authenticator, you will have to input your username and password then use the app and input the same code that will be on your screen.

Even if a hacker knows your username and password, without your phone with Google Authenticator, they will not be able to access your online accounts because they will also need your key from Google Authenticator. Any online account that is set up with Google Authenticator will require your 6-8 digit key code before you can log in. 

Another method you can use to secure your account is to have an encrypted Yubi key. When you plug in this specialized USB dongle into your computer, it will generate you a password that is ludicrously long and virtually impossible for a dictionary attack to ever crack. Whenever you login to any online site, you will be required to plug in the Yubi key to input the passcode. Because the device is a physical USB drive, unless hackers physically get access to it, your data will remain secure. You can look into getting a biometric Yubi key for even more security.

Never Use SMS As 2-Step Verification Again

We hope that after reading this article you will consider changing your method of 2-step verification, or even implement 2-step verification if you haven’t already. There are so many better methods of 2-step verification than SMS that you can use to help keep your online accounts secure.