Two-factor authentication is designed to keep hackers out of your accounts, but it won't keep you safe if they can intercept your text messages.
Two-factor authentication (2FA) adds an extra layer of security to your online accounts by demanding that you prove your identity using both something you know and something you have. The something you know is your password, while the something you have is often a one-time code sent to your phone via SMS.
In theory that's enough to keep hackers at bay. They can't break into your account, even if they've discovered your password by sneaking malware onto your computer or tricking you into handing over your password as part of a phishing attack. They still need that second piece of the puzzle, sent to the phone in your hand.
The problem is that hackers have several ways to intercept your text messages, which can prove rather lucrative if it allows them to break into your online banking. Alternatively they might trawl through your inbox and cloud storage, building up a dossier of personal information so they can steal your identity.
One way to intercept text messages involves mobile hijacking, where hackers impersonate you and transfer your mobile phone number across to another telco on a new SIM card. By the time you realise your mobile phone is dead, they've already cleaned out your bank accounts.
Alternatively there are flaws in the SS7 network used by telcos to transmit text messages, flaws which allow attackers to silently intercept your messages. These well-documented flaws were recently in the news again, with security researchers showing how they could be used to break into Gmail accounts.
Warnings about these weaknesses in SMS security haven't gone unheeded by the tech giants. Many banks and other security-conscious services now use smartphone apps to generate one-time codes rather than sending the codes in a text message and risking interception.
There's still the risk that malware on your computer could intercept the two-factor code as you enter it. Some two-factor services are doing away with codes completely, such as Google Prompt which instead asks you to click on a pop-up message on your smartphone to prove that it's in your possession.
The challenge now is weaning both people and service providers off SMS-based two-factor notifications. They're better than nothing, but if you're particularly concerned about security then it's time to look for something more secure. It's worth checking whether your providers offer alternatives.
Two-factor authentication is a quick, easy way to add extra security to your accounts (or password managers). For even more security and peace of mind, consider buying a hardware token like the YubiKey or Google Titan.
They’re incredibly easy to set up, and as long as you keep the USB accessory on or near you—on your keyring, for example — you’ll be able to authenticate into supported accounts and services as quickly as typing in a password. And since nobody else will have your hardware authenticator, your accounts will be protected from other attackers.