This Is Why You Should Consider Shifting To Authenticator Apps For Your 2FA Codes
SMS has been around forever, and that means that many of us have it set up for all kinds of things, with hospital appointment reminders, two-factor authentication codes, and more sent in text form to a user’s phone. That’s all worked relatively well on the whole, but a newly reported data breach has highlighted how frail that process can be.
The problem was noted after a Berlin-based security researcher called Sébastien Kaul discovered that a Voxox-managed database was discoverable, completely unprotected, and even searchable for identifiable information like names and telephone numbers.
There were 26 million text messages found in total, and they were all wide open. With the database remaining available even after the security flaw was found, it’s possible that anyone could have potentially intercepted messages – including those used for two-factor authentication. The database was only taken offline once TechCrunch got involved.
Two-factor authentication is used to offer another line of authentication beyond usernames and passwords. Once those two things are provided, a code is sent to the user via SMS, which should, in theory, mean only someone with their phone can enter it and gain access. However, if the messages on the Voxox server were compromised, that might not be the case here.
What this really teaches us, beyond the fact that nothing seems to be secure these days, is that using SMS for things like two-factor authentication is a bad idea. Using apps like Google Authenticator, Authy, or similar apps is a better bet when it comes to generating two-factor authentication codes, but how many will make the shift even after the frailty of SMS has been laid bare?