So Hey You Should Stop Using Texts for Two-Factor Authentication
This article describes why SMS is not secure for two-factor authentication. As soon as an information is sent via the Internet / cellular network, it can be intercepted. Therefore, the second factor, the “thing you have” should be something that creates a code locally, being it a token device or an app on your smartphone.
Since two-factor authentication became the norm for web services that care about securing your accounts, it’s started to feel like a security blanket, an extra layer keeping your data safe no matter whether your password is as strong as 8$&]$@I)9[P&4^s or as dumb as dadada. But a two-factor setup—which for most users requires a temporary code generated on, or sent to, your phone in addition to a password—isn’t an invincibility spell. Especially if that second factor is delivered via text message.
The last few months have demonstrated that SMS text messages are often the weakest link in two-step logins: Attacks on political activists in Iran, Russia, and even here in the US have shown that determined hackers can sometimes hijack the SMS messages meant to keep you safe. Whenever possible, it’s worth taking a minute to switch to a better system, like an authentication smartphone app or a physical token that generates one-time codes. And for services like Twitter that only…
Read the entire article from Wired here: So Hey You Should Stop Using Texts for Two-Factor Authentication