Ask Leo! #651 – Why SMS Two-Factor Is Better than No Two-Factor at All

Reminder: Excel Macros for Beginners

Just a quick reminder that early-bird pricing - 20% off - for Allen Wyatt's Excel Macros for Beginners, which I mentioned last week, ends on Wednesday. If you use Excel at all it's definitely worth checking out the free videos that go into more detail about what the course is about, including telling you just what the heck a "macro" is, for those wondering. Smile

As I also said last week, I don't recommend things lightly and I've been pointing people at Allen's "Excel Tips" (and "Word Tips") for years. I'm very happy to recommend Excel Macros for Beginners without hesitation.

Why SMS Two-Factor Is Better than No Two-Factor at All


In recent weeks, there have been reports of flaws in the SMS (text messaging) protocols that allow attackers to essentially hijack SMS two-factor authentication for accounts they've targeted.

This is causing many people to avoid two-factor authentication altogether when SMS is the only option available.

I believe that's a serious mistake. SMS-based two-factor authentication is still better than no two-factor authentication at all.

Better than SMS

Since SMS does have its flaws, I want to start by pointing out that if you have an option, there are better and more flexible alternatives for two-factor authentication, including Google Authenticator, Authy, email authentication, and more.

Google Authenticator

This smartphone application generates a code that changes every 30 seconds. When you set up this kind of two-factor authentication, you establish a cryptographically secure pairing between an online service and your phone. When two-factor is used, you simply enter the code currently displayed on your phone when asked. As a bonus, no connectivity is required when using Google Authenticator. Once established, the application runs independently on your device, and as long as the time is set correctly, it just works.

I use Google Authenticator style two-factor whenever possible, but I no longer use the Google Authenticator application. The single biggest problem is that moving to a new phone1 is extremely painful, involving turning two-factor off for each account and then reestablishing it on the new device. Instead, I use Authy. You can use Authy anywhere Google Authenticator is supported. It allows you to "back up" your two-factor configuration, making it easy to move to other devices. You can even use Authy from your desktop, without reaching for your phone at all.

Whenever it's an option, I enable two-factor authentication using Authy. I currently have 14 different accounts set up this way.


Many services opt for a form of two-factor authentication based on email. When you log in, they send an email message to the email address of record, containing a link you must click to complete the log-in process. The "second factor" is your ability to access that email account.

I've seen some services use this technique to actually bypass the password requirement completely, relying on your email address being correct, your email account being secure, and your ability to click the link sent to it to verify you are who you say you are.

The problem, of course, is that this requires the ability to access your email. It's also not something that can be used as a second factor on your email account, unless it uses a different email address — your "alternate" email address — as the second factor.

Sometimes email can be delayed. If you're waiting to log in to some service, that delay can be annoying, and at worst can be long enough to invalidate the attempt.

But as long as your email account itself is secure, it's a perfectly valid way to set up a form of two-factor authentication.

SMS text messaging

When using text messaging for two-factor authentication, you're texted a code you must enter to complete the log-in process. It's quick, it's convenient, and it doesn't require data connectivity (or even a smartphone). Any device capable of receiving a text message can be used. This technique also transfers to your new phone automatically when you transfer your mobile number to the new device.

SMS two-factor authentication confirms you are in possession of your configured second factor: the device associated with your mobile number…

… except when it's been intercepted. Here's where things get complicated.

SMS: the exploit

In order for SMS two-factor to be compromised, three things have to happen:

  • The attacker needs to know your username and password.
  • The attacker needs to know your mobile number.
  • The attacker needs access to a phone company. ðŸ'‚

The Naked Security Blog's article, "Bank accounts raided after crooks exploit huge flaw in mobile networks", describes how hackers got the first two items via fairly traditional means:

…hackers sent conventional fake phishing emails to victims, suckering them into visiting fake bank websites, where they were told to enter account numbers, passwords and the mobile phone numbers they had previously given their banks.

Accomplishing the third item was a little less traditional:

…the attackers "purchased access to a rogue telecommunications provider and set up a redirect for the victim's mobile phone number to a handset controlled by the attackers."

Purchased access to a rogue phone company? Clearly possible, but not the most common scenario around, by far.

SMS: still better than nothing

Let's say you've decided that SMS isn't secure (because, as we've seen, it isn't completely secure). Further, let's say your bank or other account provider only offers SMS-based two-factor authentication (they should offer alternatives, but I know some don't).

So you elect not to use SMS at all.

Here's the requirement for your account to be hacked:

  • The attacker needs to know your username and password.

That's it. You've made it easier for hackers to access your account.

Even though it's flawed, adding SMS two-factor authentication is better than nothing, because it puts an additional barrier in place that the hacker must be motivated and able to cross in order to access your account. Most aren't motivated, opting instead for the low-hanging fruit of other accounts with compromised passwords, and most aren't able. Where does one go to purchase access to a rogue telephone company, anyway?

2FA: still your best defense

Note that with two-factor authentication, hackers can't access your account even if they know your password.

I strongly recommend using two-factor in one form or another, be it Google Authenticator, Authy, email, SMS, or something else.

In a world of malware, phishing, assorted database compromises, and other perils, two-factor authentication remains a critical way to keep your most important accounts secure.

And maybe even some of those not-so important accounts as well.

Related Links & Comments: Why SMS Two-Factor Is Better than No Two-Factor at All

When you have no CD/DVD...

Get one!

A common question is what to do when the new computer you just got has no optical (CD or DVD) drive. It's not uncommon at all to want to be able to boot from an installation or recovery disc, or copy data from one, which is impossible without a drive to put it in.

I quickly purchased an external USB CD drive, and later upgraded to an external CD/DVD drive when I needed to be able to access those discs as well. While I don't write CDs or DVDs very often any more, it's another option I have with one of these external drives laying around. Since it's external you only need one, regardless of how many computers you might have.

Pictured, and linked, is a highly rated option available on, where you'll find a variety of others as well.


"Hand Picked" Advertisement

How Do I Turn Off BitLocker on a Drive?

OK, I encrypted my drive. Now I'm tired of the additional hoops I need to jump through just to access my machine. I decided I don't need or want BitLocker. How do I turn it off?

I'm going to assume you're talking about BitLocker full-drive encryption, that your system drive is encrypted, and that the "additional hoop" you have to jump through is the extra password you need to specify when you reboot your machine.

Assuming you understand that anyone who steals your machine can access all the files on it, even without knowing your Windows log-in password, turning off BitLocker and decrypting your drive is a snap.

Continue Reading: How Do I Turn Off BitLocker on a Drive?

Will Microsoft Stop Forcing Windows 10 Updates?

Is Microsoft done sneaking through forced upgrades to windows 10?

This is a question I received during a recent Facebook Live video session.

I think it captures the ongoing frustration that so many people, including myself, feel when it comes to Windows 10 updates and how they're handled.

For better or for worse, the answer is actually very simple.

Continue Reading: Will Microsoft Stop Forcing Windows 10 Updates?

How Should I Store My Backup Laptop?

I recently replaced my laptop with a desktop, moving the laptop to a backup-machine status. That means I won't use it daily, or evenly weekly. How should I store the laptop? Battery in? Battery out? How long can I store it without charging it? Any other issues I should consider?

I'm going to assume you've already seen Should I remove the battery if I leave my laptop plugged in?

What's interesting here is that yours is a different — almost opposite — situation: infrequent use.

That actually makes this more difficult. Let's review the options.

Continue Reading: How Should I Store My Backup Laptop?

The Ask Leo! Tip of the Day

A feature exclusively available to Ask Leo! Patrons Bronze level & above.

More Ask Leo!

Become a Patron
Books - Business - Glossary
Facebook - YouTube - More..

Leo's Other Projects....

HeroicStories Since 1999, HeroicStories brings diverse, international voices to the world ' reminding us that people are good, that individuals and individual action matter. Stories - new and old - are published twice a week.

Not All News Is Bad - Each day I look for one story in the current news of the day with a positive bent. Just one. And I share it. - My personal blog. Part writing exercise, part ranting platform, it's where I write about anything and everything and nothing at all.

Help Ask Leo! Just forward this message, in its entirety (but without your unsubscribe link below) to your friends. Or, just point them at for their own FREE subscription!

Newsletter contents Copyright © 2017,
Leo A. Notenboom & Puget Sound Software, LLC.
Ask Leo! is a registered trademark ® of Puget Sound Software, LLC

Posted: May 9, 2017 in: 2017
« Previous post:
Next post: »

New Here?

Let me suggest my collection of best and most important articles to get you started.

Of course I strongly recommend you search the site -- there's a ton of information just waiting for you.

Finally, if you just can't find what you're looking for, ask me!

Confident Computing

Confident Computing is the weekly newsletter from Ask Leo!. Each week I give you tools, tips, tricks, answers, and solutions to help you navigate today’s complex world of technology and do so in a way that protects your privacy, your time, and your money, and even help you better connect with the people around you.

The Ask Leo! Guide to Staying Safe on the Internet – FREE Edition

Subscribe for FREE today and claim your copy of The Ask Leo! Guide to Staying Safe on the Internet – FREE Edition. Culled from the articles published on Ask Leo! this FREE downloadable PDF will help you identify the most important steps you can take to keep your computer, and yourself, safe as you navigate today’s digital landscape.

My Privacy Pledge

Leo Who?

I'm Leo Notenboom and I've been playing with computers since I took a required programming class in 1976. I spent over 18 years as a software engineer at Microsoft, and after "retiring" in 2001 I started Ask Leo! in 2003 as a place to help you find answers and become more confident using this amazing technology at our fingertips. More about Leo.