Avoid using codes texted to your phone for 2-factor authentication.
I'm all about 2-factor authentication, but what I've discovered recently has made me more cautious about how I set it up...
Using your cell number is one of the most common ways to set up 2-factor authentication. Everyone has typed in a code texted to their phone to get access to a site or reset a password... yet we are discovering risks with this option.
When you lose control over your cell number — maybe it’s hijacked by fraudsters, you get separated or divorced, late on your phone bill payments, or you switch carriers, and your old carrier rehashes your number — whoever inherits the number can be YOU in a lot of places online.
Countless sites still allow users to reset passwords with nothing more than a one-time code texted to a cell number on the account.
Losing control of your cell number is as dangerous as a hacker getting their hands on your Social Security Number!
Here's a quick story about someone affected by this:
"A while ago I bought a new phone and got a new number. I went on Yahoo! mail and typed in the number in the login. It asked me if I wanted to receive an SMS to gain access. I said yes, and it sent me an access code via SMS. I typed the code I received. I was surprised that I didn’t access my own email, yet the email of the previous owner.
Yahoo! didn’t even ask me to type the email address or the first and last name. It merely sent me the SMS, I typed the code I received, and it gave me access to the email of my number’s PREVIOUS OWNER. This seriously needs to be revised. At minimum Yahoo! should ask me to type the email address or my first and last name before sending me an SMS which contains an access code."
You can't avoid this danger on some sites, yet if you do have an option to choose how to set up your 2-factor authentication, we recommend using these methods:
Google Authenticator (App)
LastPass Authenticator (App)
Yubico "Yubi Key" Authenticator Key (Hardware)
Apps do an excellent job with secure 2-factor, yet for those of you that might not have access to your phone or want that physical security, A 2FA hardware key is a great option.
Personally, I use both. If you have any questions, reach out. I'm happy to help anyone.
Stay safe out there,