So Hey You Should Stop Using Texts for Two-Factor Authentication

One of the problems with contemporary computer systems is that they rely on login and password information, and both of these kinds of information are routinely either disclosed through data breaches or are configured by users such that it is relatively easy to guess the login and password combination. Two-factor authentication is designed to alleviate these problems by issuing a second code to a user, which they input in order to access the service. This ‘other factor’ is meant to prevent unauthorized third-parties from accessing protected systems (e.g. email, social media accounts).

However, many of these second-factor codes are delivered over text messages. The problem is that there are a litany of ways that texts can be either intercepted or diverted and, thus, reduce the efficacy of the two-factor system. Some companies have moved away, partially, from SMS-based second factors but others such as Twitter have not. The aim of the article is to suggest that it’s important for users to themselves migrate from text-based second factors to a more secure method.

This is entirely accurate…when individuals are being targeted. But when an attacker is unwilling to invest much time or effort — such as running password lists or otherwise just ‘testing’ accounts without seriously attacking them — then even text-based two-factor authentication can suffice. While I agree that ideally individuals will move to a second-factor that isn’t SMS-based there is a significant degree of friction in getting individuals to download new applications and ‘token-based’ modes of authentication can be challenging to deploy because they get lost/damaged/forgotten/etc. In effect: while the call from the author is good I have to ask whether this ‘solution’ is the one that we should be spending years shuffling users towards or if we should instead wait for a superior alternative.