SMS 2FA and Why You Need It…
A high level overview on 2FA, specifically SMS 2FA.
Introduction
If you’ve ever looked into how to increase your security, even if it was a quick search, odds are you came across 2FA(2 Factor Authentication). In a nutshell, 2FA is a method whereby you add a nother layer of security to your authentication process. Think of it as another type of password. The way it differes from your typical password, however, is that it comes in different forms. Multi Factor Authentication(MFA) can come in one(or more) of three ways:
- What you know (Password, TOTP, OTP, etc.)
- Who you are(biometrics)
- Where you are(location based authentication)
Typically, how the MFA works is, you would enter in your password; From there you will be prompted to authenticate another way, this second form of authentication will be determined by the MFA parameters you set prior. Upon completion of this second authentication factor, you will be granted full access to whatever it is you were trying to access.
The most common, and convenient way that 2FA is implemented, is what is called SMS 2FA, where a OTP(One Time Password) is sent to your phone via SMS(Text Message). I will not dive too deep into why this is either good or bad, because SMS 2FA is a large boost in security for someone who uses no kinds of MFA. Any method can be explouted, no security measure is fool proof, but do not let perfect get in the way of great.
SMS 2FA is far better than no 2FA
Who should use 2FA?
The short answer is: Everyone. No, seriously, everyone should be using 2FA.
Having at least one extra factor of authentication should be the baseline for anyone that has an account for anything online. In 2023 this is even more necessary, especially if you are storing sensative information online. There is not telling what a bad actor could do if they got access to your accounts. Even if they only accessed your Facebook account and shut you out, think about how many people have their Facebook linked as a means of authentication. Or if someone got access to your Gmail, how many times have you signed up for a service online and used the ‘sign in with Gmail’ button? Someone having access to your GMail and shutting you out, that would cause a dominoe effect where you are now locked out of many other accounts.
How can I get started?
The simplest and fastest way to get started with deploying 2FA is to implement SMS 2FA. SMS 2FA is an authentication method where an OTP is sent to you directly via SMS text message. This typically comes in the form of a 6 digit number and is valid for between 5–15 minutes(varies by provider). Most services offer a 2FA via SMS option, the authenitcation method is tied to your mobile number, which most adults have. Once implemented, it will be triggered each time you log into whatever service you are trying to gain access to.
The security imporvement comes from the fact that this OTP is time based, which created a moving target, so not only does the bad actor need your initial password, but now they need this second passcode that will expire in ~5 mins. Adding that second layer of security creates another set of problems for the attacker. While 5 mins maye not seem like a long time, you also have to consider the fact that many if not all providers will have measures in place to prevent too many attempts of this 2FA OTP. So if the attacker doesnt get it right in the first coupole of tries, they now need to try again and again, eventually getting the account locked completely.
What are the risks?
I could and will speak on the risks of SMS 2FA, but you dont have any authentication, so SMS 2FA at this very moment only has upside compared to your current security stack. Check out this article from Twilio if you’d like to learn more about why SMS 2FA is a good idea:
Like I said, nothing in InfoSec is fool proof, but decreasing the liklihood of an attack being successful is the name of the game. SMS 2FA does that for us, especially for those who aren’t using ANY 2FA at present, in later posts I will go in depth about the risks of SMS 2FA vs other MFA methods. But for now read into what 2FA is and SMS 2FA is as well. As with anything, do your own research, make sure you’re comfortable with the information and decide for yourself if you’re ready or not to implement it. If you’d like to start by increasing the strength of your passwords first, I have written articles about both password hygiene and password managers to get you started on upping your security.
