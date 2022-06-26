Two-Step Authentication (2FA) systems are an important and essential addition to any profile, from email and social media accounts to banking systems or e-commerce platforms. The protocol requires a second code, in addition to the email and password, which is normally sent to the user’s cell phone as a way of ensuring that the user is the one who is logging in – so the use of text messages ends up being a way.

This, however, is not the safest way to do this, on the contrary. Whether due to the lack of zeal of digital platforms with numerical codes or the possibility of interception and cloning, the use of SMS for two-step verification is no longer a recommendation from experts, with requests even from Microsoft for people to stop use this method.

Why is using SMS for two-step authentication not secure?

Chip cloning and call or text forwarding make methods of receiving 2-step verification codes via SMS or call insecure (Image: Handout/Motorola)

The lack of encryption in text message communication is just one of the reasons that answer this question. Using this format, of course, is better than nothing, but SMSs are subject to interception if a criminal is able to clone your cell phone chip, for example — phone calls are also an option available on many online platforms, not very secure by same reasons.

Advanced attacks recently detected by security experts have proven that call forwarding can be used to steal accounts and divert the destination of access codes. The same happens with text messages, which can end up in the hands of the same criminals who have your login and password, resulting from a data leak, for example. In such cases, it is easy to bypass two-step authentication.

This also applies to cases of stolen cell phones, in which the criminal is able to unlock the device. Authenticator apps, for example, may contain extra biometric layers upon login, while standard text messaging apps do not; once again, there will be your multi-step verification codes, at the mercy of crooks who want to access your accounts on social networks and banking services.

The carelessness of the platforms themselves can also lead to the interception of two-step authentication passwords, even in cases where the user does not have the stolen cell phone. In many of them, the numeric code is one of the first elements of a text message, which also ends up allowing viewing through the lock screen, even if someone else is in front of the smartphone and does not have the password.

Two-step authentication codes appear at the beginning of SMS messages, for easier viewing by notifications; measures can also lead to the visualization of codes by third parties, even with the cell phone locked (Image: Screenshot/Felipe Demartini/Canaltech)

It is a facilitation measure, which allows the user to see the verification code directly in a notification, without even having to leave the application in which they are logging in. As with many measures that focus on convenience, however, security ends up being left out a bit, making it easier for spouses, family members or attackers to break into accounts that are in the same environment as the device, for example.

The same thing, by the way, also goes for calls, since smartphones do not require security codes or biometrics for them to be answered. If this is the option configured on an online service, anyone who is close to your cell phone could receive the call and, with it, the two-step authentication password, defeating the purpose of this additional layer of security.

How to do two-factor verification safely?

Authenticator apps are offered by names like Google and Microsoft and are safer alternatives than sending codes via text messages (Image: Screenshot/Felipe Demartini/Canaltech)

When enabling two-step authentication in applications or online services, prefer to use applications dedicated to this. Some of the world’s leading technology companies have their own software for this purpose, which present random codes renewed every minute and with their own security devices to prevent unauthorized access.

Some of the most popular options are Google Authenticator, Microsoft Authenticator, and Twilio Authy. Not only do they all feature code enrollment capabilities, which can be kept in one place for easy access, they can also integrate with your smartphone’s biometric systems, requiring a fingerprint, face, or password to access. .

For services that don’t allow the use of apps for two-step authentication, a good tip is to prefer email verification, with official apps for Gmail, Outlook and others also being integrated into the phone’s biometric systems. Such software must also have accounts configured with apps of the type, so that access by third parties is not possible.

Hiding message previews on the cell phone’s locked screen helps prevent two-step authentication codes, even from SMS, from being obtained by third parties who are in possession of the device (Image: Screenshot/Felipe Demartini/Canaltech)

It is also worth disabling the preview of messages on the locked screen of iOS and Android phones. Thus, they can only be viewed, even in the locked screen notification, by users who pass the biometric or code verification; if someone else has their cell phone in their hand, for example, it will not be possible to read the content of the texts.

Also, of course, it’s important to remember that two-step authentication codes shouldn’t be passed on to anyone. They will not be requested by support agents or in service-related registrations, with this information being exclusive to the user himself for access to his own account.