I think we have all encountered two-factor authentication (2FA) from time to time. This could have been when setting up an email or any other account online. 2FA is also a measure that allows us a second layer of protection when we are logging in to Gmail or even ZOOM. After entering a password users get a prompt to check out phone for an SMS code to proceed. I usually went the SMS route to get the 2FA codes in order to log into my accounts. But there is a risk associated with using SMS for two-factor authentication.
The risk of SMS two-factor authentication
For a good long while I thought that SMS 2FA was bulletproof but there was a danger I had overlooked. Your mobile network operator is the intermediary between you and the one-time password that will allow you to proceed. That presents a real problem because services require you to have one number linked to your account.
Hackers or anyone with the where with all, could clone or move your phone number to another device. A study published in January this year revealed that some US carriers were vulnerable to sim swap attacks. If someone is able to do this then they could gain access to a number of accounts that are linked to that number. A way to avoid a situation like this is by using an authentication app.
What is an authentication app?
Authentication apps generate one-time passwords for two-factor authentication. The one-time passwords are created by an algorithm and they are time-sensitive. This means that the password the application gives you will only work for a short time until another is generated. We briefly touched on authentication apps when ZOOM rolled out an update that allowed users to include 2FA when logging in. Since that time I have tried out a number of authentication application:
- Google Authenticator (iOS, Android)
- Microsoft Authenticator (iOS, Android, Windows)
- FreeOTP (iOS, Android)
- Last Pass Authenticator (iOS, Android, Windows)
I can’t really nail down why but I preferred Google Authenticator but the others are really good too. It’s really simple to add an authentication app as your 2FA option, we can take Gmail as an example using Google Authenticator:
- Download Google Authenticator (iOS, Android)
- Enable two- factor authentication (if you haven’t already) by going to myaccount.google.com
- Click Security on the left side of the screen
- Scroll down to the Signing into Google section
- Look for the option to turn on 2-step verification (if it isn’t already on select the option to turn it on)
- If you haven’t already enabled 2FA then you’ll get prompts to enter your Gmail account password. You’ll need to enter your phone number and then choose SMS.
- You’ll get an SMS code that will allow you to complete 2FA setup
- On that same page, you will see options for how you want to receive your codes. Click the option that reads “Choose other option”
- Select the Google Authenticator
- You will then be prompted to select the type of mobile operating system. Choose the device that you have installed the Google Authenticator on.
- You’ll then be presented with a QR code to scan.
- Open Google Authenticator app on your device. Click the plus icon in the bottom right corner and scan the QR Code.
- You’ll then be prompted to enter the code that comes up in the Google Authenticator.
- Enter the code and click done.
You’ll still get codes using Google Authenticator if you don’t have an internet connection on your mobile phone.
When you log into your Gmail you’ll have to enter your password as usual but you’ll also have to enter the code generated by Google Authenticator.