SMS Does Not Count As Two Factor Authentication

Just so that I’m clear, here is the message:

Sending a code via SMS to a mobile phone does not count as Two Factor Authentication ( 2FA ).

I saw two things recently that brought up this issue again. First, reading the account of someone who was hit with a SIM card swap attack – where someone else calls up your mobile carrier claiming to be you and has your phone number moved to a new SIM card. That led to all sorts of pain from accounts that considered his phone number to be a trusted source of authentication.

The second trigger in all of this was seeing a notification from a financial institution that was going to start enabling “Two Factor Authentication” on accounts. The default method was a code sent via SMS, and given the power of defaults I expect most people will pick that one. Fortunately they do offer a way to use TOTP ( Time base One Time Password ) codes, so the situation wasn’t as bad as it could have been.

At best I’d call that 1.5FA instead of 2FA.

However, I’ve reached a point where any mention of SMS as a 2FA ( Two Factor Authentication ) option should come with a large warning in red blinking text about how this really isn’t what you want to do.

What To Use Instead

I strongly prefer the TOTP option instead, with a mobile app like Authy, Duo, FreeOTP, or Google Authenticator.

Standard disclaimer applies here, nothing is perfect. Using a TOTP app won’t give you perfect security ( I’d argue that doesn’t exist ), but it is miles better than no 2FA and significantly better than SMS tokens.