SMS 2FA: Two Factor Authentication by SMS.
In many cases, it's better to not have 2FA than SMS 2FA.
As a rule of thumb, don't ever hand out your mobile number to sites.

The problem with SMS authentication

SMS authentication is completely insecure, as has been proven multiple times in the past. It can easily be attacked in multiple ways. So easy, that in Germany it is now illegal for banks to use mTAN (SMS 2FA) for example. Bank accounts have been hacked multiple times because of the SMS weaknesses.

A more famous case is the one where Twitter CEO has been hacked because of SMS authentication.

How can SMS be hacked?

There are many ways. Technical, legal, illegal and social engineering.

Just to list a few:

  • Social engineering: Calling the phone provider pretending to be the victim and ordering a secondary SIM card to another address. Sounds too stupid to be true but it’s a method that worked many times in the past. And once it worked, you easily get to see all SMS including authentication codes.
  • Social engineering: Again calling the phone provider, pretending to be the victim but this time trying to port the number to another SIM card in your possession. This also happened in the past. There is no cure for stupidity.
  • Technical: With a cheap DVB-T stick and SDR (Software Defined Radio). You just have to be in physical proximity of the victim and you can sniff and capture the SMS and decrypt it. Yes, SMS encryption is weak and can easily be cracked.
  • Technical: Spyware (Malware) infection on your phone.
  • Legal: Authorities can easily read your SMS.
  • Illegal: Authorities can easily read your SMS.
  • Obvious one: Grabbing your phone and running off with it. ;D

But why better no 2FA than SMS 2FA?

Bad implementation. 2FA as the name says, should really only be second factor and never single factor. Especially with the insecure SMS. Many sites that offer SMS 2FA also offer ways to reset your password by SMS in case you get locked out, or even send a single-sign-on code by SMS. The very ways which an attacker would use to gain full access to your account. In such cases it would be better to just have a strong, unique password for each site, than having an SMS backdoor. In fact, you should of course always have a strong unique password for each site.

But in short, SMS authentication is a backdoor to your account.

What are alternatives?

Of course, you could use OATH-TOTP, commonly known as “Google Authenticator” and compatible apps like Authy. They work by having a shared secret (the server and your app know a secret key), which is used together with the current time to calculate an often-times 6 digit long code. This means there is no communication happening which could be intercepted. But of course this too, is vulnerable to malware attacks depending on the circumstances. But not as vulnerable as SMS authentication as the secret key is usually stored in a way that other apps cannot read out, unless your phone is outdated and the malware can exploit a vulnerability to escalate privilege and start reading things it shouldn’t.

An even more secure way would be a completely offline, hardware-based token generator. But I have yet to find a good solution.

A note on Authy

While Authy is popular, compatible with Google Authenticator and allows for backups of your secrets, it too has a weakness. Multiple ones actually.

First, Authy requires you to create and sign in to an account by SMS. Do you spot the mistake?

Secondly – even if you have encryption enabled – metadata like account name and website name are unencrypted, which means that the people behind Authy and anyone with access to the server (or which hack your SMS), can see all the accounts you have access to and link it to your phone number, too. I’m sure the authorities love it! ;)

Third, if you for some reason did not enable encryption: Congratulations you are a fool. You just gave away all your secrets.

So, how to 2FA then?