{"id":2324,"date":"2020-11-04T13:35:51","date_gmt":"2020-11-04T10:35:51","guid":{"rendered":"https:\/\/mailsafi.com\/blog\/?p=2324"},"modified":"2020-11-16T17:53:54","modified_gmt":"2020-11-16T14:53:54","slug":"problems-with-sms-for-2fa","status":"publish","type":"post","link":"https:\/\/mailsafi.com\/blog\/problems-with-sms-for-2fa\/","title":{"rendered":"Are you using SMS for your 2FA? Here\u2019s why you shouldn\u2019t."},"content":{"rendered":"\n<p>Especially for business email, using two-factor authentication (2FA) is the right thing to do, but you put yourself at risk by getting codes over SMS (text messages). We explain why.<\/p>\n\n\n\n<p><a href=\"https:\/\/mailsafi.com\/blog\/two-factor-2fa-authentication-why-you-should-use-it\/\" target=\"_blank\" rel=\"noreferrer noopener\"><strong><span class=\"has-inline-color has-vivid-cyan-blue-color\">Two-factor authentication (2FA)<\/span><\/strong><\/a> brings an added layer of security that passwords alone can\u2019t provide. When it comes to email, requiring an extra step for a user to prove their identity reduces the chance of an unauthorized person gaining access to your email account.<\/p>\n\n\n\n<p>One of the most common methods of 2FA is SMS (text messages). However, while popular, using SMS for authentication is actually not a great idea. Hackers have several tools that can intercept, phish, and spoof SMS, therefore, making SMS authentication a less secure medium.<\/p>\n\n\n\n<div id=\"ez-toc-container\" class=\"ez-toc-v2_0_49 counter-hierarchy ez-toc-counter ez-toc-grey ez-toc-container-direction\">\n<div class=\"ez-toc-title-container\">\n<p class=\"ez-toc-title\">Table of Contents<\/p>\n<span class=\"ez-toc-title-toggle\"><a href=\"#\" class=\"ez-toc-pull-right ez-toc-btn ez-toc-btn-xs ez-toc-btn-default ez-toc-toggle\" aria-label=\"ez-toc-toggle-icon-1\"><label for=\"item-69da1a10e6e3e\" aria-label=\"Table of Content\"><span style=\"display: flex;align-items: center;width: 35px;height: 30px;justify-content: center;direction:ltr;\"><svg style=\"fill: #999;color:#999\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" class=\"list-377408\" width=\"20px\" height=\"20px\" viewBox=\"0 0 24 24\" fill=\"none\"><path d=\"M6 6H4v2h2V6zm14 0H8v2h12V6zM4 11h2v2H4v-2zm16 0H8v2h12v-2zM4 16h2v2H4v-2zm16 0H8v2h12v-2z\" fill=\"currentColor\"><\/path><\/svg><svg style=\"fill: #999;color:#999\" class=\"arrow-unsorted-368013\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"10px\" height=\"10px\" viewBox=\"0 0 24 24\" version=\"1.2\" baseProfile=\"tiny\"><path d=\"M18.2 9.3l-6.2-6.3-6.2 6.3c-.2.2-.3.4-.3.7s.1.5.3.7c.2.2.4.3.7.3h11c.3 0 .5-.1.7-.3.2-.2.3-.5.3-.7s-.1-.5-.3-.7zM5.8 14.7l6.2 6.3 6.2-6.3c.2-.2.3-.5.3-.7s-.1-.5-.3-.7c-.2-.2-.4-.3-.7-.3h-11c-.3 0-.5.1-.7.3-.2.2-.3.5-.3.7s.1.5.3.7z\"\/><\/svg><\/span><\/label><input  type=\"checkbox\" id=\"item-69da1a10e6e3e\"><\/a><\/span><\/div>\n<nav><ul class='ez-toc-list ez-toc-list-level-1 ' ><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-1\" href=\"https:\/\/mailsafi.com\/blog\/problems-with-sms-for-2fa\/#1_How_hackers_intercept_SMS\" title=\"1. How hackers intercept SMS\">1. How hackers intercept SMS<\/a><ul class='ez-toc-list-level-4'><li class='ez-toc-heading-level-4'><ul class='ez-toc-list-level-4'><li class='ez-toc-heading-level-4'><a class=\"ez-toc-link ez-toc-heading-2\" href=\"https:\/\/mailsafi.com\/blog\/problems-with-sms-for-2fa\/#Here_are_some_examples\" title=\"Here are some examples:-\">Here are some examples:-<\/a><\/li><\/ul><\/li><\/ul><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-3\" href=\"https:\/\/mailsafi.com\/blog\/problems-with-sms-for-2fa\/#2_Alternatives_to_SMS_for_2FA\" title=\"2. Alternatives to SMS for 2FA\">2. Alternatives to SMS for 2FA<\/a><ul class='ez-toc-list-level-3'><li class='ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-4\" href=\"https:\/\/mailsafi.com\/blog\/problems-with-sms-for-2fa\/#21_Hardware_authentication_for_2FA\" title=\"2.1 Hardware authentication for 2FA\">2.1 Hardware authentication for 2FA<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-5\" href=\"https:\/\/mailsafi.com\/blog\/problems-with-sms-for-2fa\/#22_App_authentication_for_2FA\" title=\"2.2 App authentication for 2FA\">2.2 App authentication for 2FA<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-6\" href=\"https:\/\/mailsafi.com\/blog\/problems-with-sms-for-2fa\/#23_Biometric_authentication\" title=\"2.3 Biometric authentication\">2.3 Biometric authentication<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-7\" href=\"https:\/\/mailsafi.com\/blog\/problems-with-sms-for-2fa\/#24_IP-based_authentication\" title=\"2.4 IP-based authentication\">2.4 IP-based authentication<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-8\" href=\"https:\/\/mailsafi.com\/blog\/problems-with-sms-for-2fa\/#25_GPS_authentication\" title=\"2.5 GPS authentication\">2.5 GPS authentication<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-9\" href=\"https:\/\/mailsafi.com\/blog\/problems-with-sms-for-2fa\/#3_If_the_only_option_I_have_is_SMS_for_2FA_should_I_use_it\" title=\"3. If the only option I have is SMS for 2FA, should I use it?\">3. If the only option I have is SMS for 2FA, should I use it?<\/a><\/li><\/ul><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-10\" href=\"https:\/\/mailsafi.com\/blog\/problems-with-sms-for-2fa\/#4_Summary\" title=\"4. Summary\">4. Summary<\/a><\/li><\/ul><\/nav><\/div>\n<h2 class=\"has-vivid-red-color has-text-color wp-block-heading\" style=\"font-size:32px\"><span class=\"ez-toc-section\" id=\"1_How_hackers_intercept_SMS\"><\/span>1. <strong>How hackers intercept SMS<\/strong><span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p>It is a great idea to add 2FA to email access, especially webmail access, to increase email security. Password attacks are becoming more sophisticated, and even complex passwords can be cracked. Therefore, requiring additional authentication for accessing email will ensure better protection.<\/p>\n\n\n\n<p>But after taking that additional security step, why use an insecure form of communication for that verification? After all, SMS (text) messages are based on telephone networks. The first hackers were a bunch of folks who were looking for cool ways to get around phone networks. Intercepting SMS is, therefore, a walk-in-the-park for many hackers.<\/p>\n\n\n\n<p><a href=\"https:\/\/www.issms2fasecure.com\/assets\/sim_swaps-01-10-2020.pdf\" target=\"_blank\" rel=\"noreferrer noopener\"><span class=\"has-inline-color has-vivid-cyan-blue-color\"><strong>Studies <\/strong><\/span><\/a>have found that the main issue with using SMS in 2FA is that the mobile service providers themselves and their network are vulnerable to phishing, spoofing, and social engineering.<\/p>\n\n\n\n<h4 class=\"has-medium-font-size wp-block-heading\"><span class=\"ez-toc-section\" id=\"Here_are_some_examples\"><\/span>Here are some examples:-<span class=\"ez-toc-section-end\"><\/span><\/h4>\n\n\n\n<ul><li>A hacker can hijack your phone number by convincing your mobile service provider (through social engineering) to transfer\/port it to another SIM card (SIM swap). In most cases, this could be as easy as knowing your phone number and providing your National Identity Card or Social Security Number \u2013 data that tends to be easily leaked by government agencies, financial institutions, or other corporates. Once a hacker has redirected your phone number, they no longer need your physical phone to gain access to your 2FA codes. Before you notice, the hacker will have already accessed your email.<\/li><li>If you sync SMS messages with your computer, laptop, or tablet, a hacker could access SMS codes by stealing any of these devices.<\/li><li>A hacker can intercept an SMS message due to weaknesses in the mobile service providers\u2019 systems. In what&#8217;s called an SS7 attack, a hacker can\u00a0spy via the cell phone system, listen to calls, intercept SMS messages, and see your phone location.<\/li><li>It is easy to spoof. It is very easy to spoof an SMS message. There is no SSL or certificate to verify where it really came from.<\/li><li>Unfortunately, you cannot control phishing at the mobile service providers\u2019 company. <\/li><li>If you know some basic information about the person, you can get the PIN changed. Spoofing may actually be combined with phishing to gain access. This process allows hackers to falsify a message to appear like it\u2019s coming from a legitimate source. The message will alert the victim that they need to reply with the security code. At the same time, the hacker will trigger a login 2FA request. If the victim replies with that code, the hacker can use it to gain access.<\/li><\/ul>\n\n\n\n<h2 class=\"has-vivid-red-color has-text-color wp-block-heading\" style=\"font-size:32px\"><span class=\"ez-toc-section\" id=\"2_Alternatives_to_SMS_for_2FA\"><\/span>2. <strong>Alternatives to SMS for 2FA<\/strong><span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p>While it\u2019s best to skip 2FA if SMS is the only option, this doesn\u2019t solve the reason for adding 2FA in the first place. To prevent brute force and other attacks targeting password-only authentication, some form of 2FA is needed.<\/p>\n\n\n\n<h3 class=\"has-vivid-red-color has-text-color wp-block-heading\" style=\"font-size:28px\"><span class=\"ez-toc-section\" id=\"21_Hardware_authentication_for_2FA\"><\/span><strong>2.1 Hardware authentication<\/strong> for 2FA<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>Hardware authentication relies on a dedicated physical device to grant access. Users will also have to input a random token code generated by the device along with their password. Logins will fail without the code. Some providers of hardware authentication include RSA SecurID and Thales SafeNet.<\/p>\n\n\n\n<div class=\"wp-block-image is-style-default\"><figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"332\" height=\"249\" src=\"https:\/\/mailsafi.com\/blog\/wp-content\/uploads\/2020\/11\/image.png\" alt=\"\" class=\"wp-image-2326\" srcset=\"https:\/\/mailsafi.com\/blog\/wp-content\/uploads\/2020\/11\/image.png 332w, https:\/\/mailsafi.com\/blog\/wp-content\/uploads\/2020\/11\/image-300x225.png 300w\" sizes=\"(max-width: 332px) 100vw, 332px\" \/><figcaption>RSA SecurID<\/figcaption><\/figure><\/div>\n\n\n\n<p>The physical nature of this method does have the potential for devices to be lost and stolen. But it does address many of the security issues inherent to SMS-based 2FA.<\/p>\n\n\n\n<h3 class=\"has-vivid-red-color has-text-color wp-block-heading\" style=\"font-size:28px\"><span class=\"ez-toc-section\" id=\"22_App_authentication_for_2FA\"><\/span><strong>2.2 App authentication<\/strong> for 2FA<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>App authentication is, essentially, the same principle as hardware authentication. However, instead of requiring a physical device, token codes are generated with a mobile application. Some popular authentication apps are Google Authenticator, Microsoft Authenticator, or Authy. RSA now also offers their SecurID authenticator as an app.<\/p>\n\n\n\n<div class=\"wp-block-image is-style-default\"><figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"291\" height=\"504\" src=\"https:\/\/mailsafi.com\/blog\/wp-content\/uploads\/2020\/11\/image-1.png\" alt=\"\" class=\"wp-image-2328\" srcset=\"https:\/\/mailsafi.com\/blog\/wp-content\/uploads\/2020\/11\/image-1.png 291w, https:\/\/mailsafi.com\/blog\/wp-content\/uploads\/2020\/11\/image-1-173x300.png 173w\" sizes=\"(max-width: 291px) 100vw, 291px\" \/><figcaption>Google Authenticator<\/figcaption><\/figure><\/div>\n\n\n\n<p>It may seem counterintuitive to recommend authentication based on a mobile device. However, the app is not relying on SMS or the phone network for authentication, eliminating the inherent flaws in SMS-based 2FA.<\/p>\n\n\n\n<p>An authentication app has the advantage of not needing to rely on your carrier. These apps can be downloaded from any Android, Windows, or iOS phone. Codes expire quickly, usually after about 30 seconds. Since an authentication app doesn&#8217;t need your carrier to transmit codes, they will stay with the app even if a hacker manages to move your number to a new phone.<\/p>\n\n\n\n<p>Although using an authentication app requires a little extra setup initially, in the long run, it offers better protection than SMS. <strong><a href=\"https:\/\/www.mailsafi.com\/email-hosting\" target=\"_blank\" rel=\"noreferrer noopener\"><span class=\"has-inline-color has-vivid-cyan-blue-color\">MailSafi <\/span><\/a><\/strong>uses Google Authenticator for 2FA.<\/p>\n\n\n\n<h3 class=\"has-vivid-red-color has-text-color wp-block-heading\" style=\"font-size:28px\"><span class=\"ez-toc-section\" id=\"23_Biometric_authentication\"><\/span><strong>2.3 Biometric authentication<\/strong><span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>Using a thumbprint or facial recognition is becoming more commonplace. Biometric authentication relies on a unique physical trait of an individual and is therefore very accurate in authenticating the end user.<\/p>\n\n\n\n<h3 class=\"has-vivid-red-color has-text-color wp-block-heading\" style=\"font-size:28px\"><span class=\"ez-toc-section\" id=\"24_IP-based_authentication\"><\/span><strong>2.4 IP-based authentication<\/strong><span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>This method checks the user\u2019s IP address when logging in. You can block access to specific IP addresses suspected to be malicious, or simply only allow logins from known IP addresses and ranges. IP-based authentication can be used in conjunction with other forms to add another layer of protection.<\/p>\n\n\n\n<h3 class=\"has-vivid-red-color has-text-color wp-block-heading\" style=\"font-size:28px\"><span class=\"ez-toc-section\" id=\"25_GPS_authentication\"><\/span><strong>2.5 GPS authentication<\/strong><span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>This method uses GPS data as an added level of security that allows banks or other payment providers to use the geolocation information gained from the app to determine whether a transaction aligns with the location of the individual\u2019s mobile.<\/p>\n\n\n\n<h3 class=\"has-vivid-red-color has-text-color wp-block-heading\" style=\"font-size:32px\"><span class=\"ez-toc-section\" id=\"3_If_the_only_option_I_have_is_SMS_for_2FA_should_I_use_it\"><\/span>3. <strong>If the only option I have is SMS for 2FA, should I use it?<\/strong><span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<figure class=\"wp-block-pullquote\"><blockquote><p>Yes, if it\u2019s the only option available for 2FA, just use it!<\/p><\/blockquote><\/figure>\n\n\n\n<p>Although we have made a case against using SMS for 2FA, using SMS is better than not using 2FA at all. When you don\u2019t use two-factor authentication, a hacker only&nbsp;needs to obtain, crack, or guess your password to sign into your email account.<\/p>\n\n\n\n<p>When you use two-factor authentication with SMS, someone will need to acquire both your password and gain access to your SMS messages to gain access to your account. For this reason, SMS is more secure than nothing at all.<\/p>\n\n\n\n<h2 class=\"has-vivid-red-color has-text-color wp-block-heading\" style=\"font-size:32px\"><span class=\"ez-toc-section\" id=\"4_Summary\"><\/span>4. <strong>Summary<\/strong><span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p>Relying on SMS for authentication actually introduces a layer of risk to your email security. Alternatives to SMS authentication are app authentication, hardware authentication, biometric authentication, GPS authentication, or IP-based authentication.<\/p>\n\n\n\n<p>That said, if SMS is your only option for 2FA, please go ahead and use it, but this should be even more reason to pair it with a good password strategy.<\/p>\n\n\n\n<p>While stronger 2FA options are recommended, they are not a replacement for a good password strategy. Think about it like you would your home security: A strong burglarproof front door is great, but it won\u2019t matter if you leave the key under the doormat.<\/p>\n<div class=\"pvc_clear\"><\/div><p id=\"pvc_stats_2324\" class=\"pvc_stats all  \" data-element-id=\"2324\" style=\"\"><i class=\"pvc-stats-icon large\" aria-hidden=\"true\"><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" version=\"1.0\" viewBox=\"0 0 502 315\" preserveAspectRatio=\"xMidYMid meet\"><g transform=\"translate(0,332) scale(0.1,-0.1)\" fill=\"\" stroke=\"none\"><path d=\"M2394 3279 l-29 -30 -3 -207 c-2 -182 0 -211 15 -242 39 -76 157 -76 196 0 15 31 17 60 15 243 l-3 209 -33 29 c-26 23 -41 29 -80 29 -41 0 -53 -5 -78 -31z\"\/><path d=\"M3085 3251 c-45 -19 -58 -50 -96 -229 -47 -217 -49 -260 -13 -295 52 -53 146 -42 177 20 16 31 87 366 87 410 0 70 -86 122 -155 94z\"\/><path d=\"M1751 3234 c-13 -9 -29 -31 -37 -50 -12 -29 -10 -49 21 -204 19 -94 39 -189 45 -210 14 -50 54 -80 110 -80 34 0 48 6 76 34 21 21 34 44 34 59 0 14 -18 113 -40 219 -37 178 -43 195 -70 221 -36 32 -101 37 -139 11z\"\/><path d=\"M1163 3073 c-36 -7 -73 -59 -73 -102 0 -56 133 -378 171 -413 34 -32 83 -37 129 -13 70 36 67 87 -16 290 -86 209 -89 214 -129 231 -35 14 -42 15 -82 7z\"\/><path d=\"M3689 3066 c-15 -9 -33 -30 -42 -48 -48 -103 -147 -355 -147 -375 0 -98 131 -148 192 -74 13 15 57 108 97 206 80 196 84 226 37 273 -30 30 -99 39 -137 18z\"\/><path d=\"M583 2784 c-38 -19 -67 -74 -58 -113 9 -42 211 -354 242 -373 16 -10 45 -18 66 -18 51 0 107 52 107 100 0 39 -1 41 -124 234 -80 126 -108 162 -133 173 -41 17 -61 16 -100 -3z\"\/><path d=\"M4250 2784 c-14 -9 -74 -91 -133 -183 -95 -150 -107 -173 -107 -213 0 -55 33 -94 87 -104 67 -13 90 8 211 198 130 202 137 225 78 284 -27 27 -42 34 -72 34 -22 0 -50 -8 -64 -16z\"\/><path d=\"M2275 2693 c-553 -48 -1095 -270 -1585 -649 -135 -104 -459 -423 -483 -476 -23 -49 -22 -139 2 -186 73 -142 361 -457 571 -626 285 -228 642 -407 990 -497 242 -63 336 -73 660 -74 310 0 370 5 595 52 535 111 1045 392 1455 803 122 121 250 273 275 326 19 41 19 137 0 174 -41 79 -309 363 -465 492 -447 370 -946 591 -1479 653 -113 14 -422 18 -536 8z m395 -428 c171 -34 330 -124 456 -258 112 -119 167 -219 211 -378 27 -96 24 -300 -5 -401 -72 -255 -236 -447 -474 -557 -132 -62 -201 -76 -368 -76 -167 0 -236 14 -368 76 -213 98 -373 271 -451 485 -162 444 86 934 547 1084 153 49 292 57 452 25z m909 -232 c222 -123 408 -262 593 -441 76 -74 138 -139 138 -144 0 -16 -233 -242 -330 -319 -155 -123 -309 -223 -461 -299 l-81 -41 32 46 c18 26 49 83 70 128 143 306 141 649 -6 957 -25 52 -61 116 -79 142 l-34 47 45 -20 c26 -10 76 -36 113 -56z m-2057 25 c-40 -58 -105 -190 -130 -263 -110 -324 -59 -707 132 -981 25 -35 42 -64 37 -64 -19 0 -241 119 -326 174 -188 122 -406 314 -532 468 l-58 71 108 103 c185 178 428 349 672 473 66 33 121 60 123 61 2 0 -10 -19 -26 -42z\"\/><path d=\"M2375 1950 c-198 -44 -350 -190 -395 -379 -18 -76 -8 -221 19 -290 114 -284 457 -406 731 -260 98 52 188 154 231 260 27 69 37 214 19 290 -38 163 -166 304 -326 360 -67 23 -215 33 -279 19z\"\/><\/g><\/svg><\/i> <img loading=\"lazy\" decoding=\"async\" width=\"16\" height=\"16\" alt=\"Loading\" src=\"https:\/\/mailsafi.com\/blog\/wp-content\/plugins\/page-views-count\/ajax-loader-2x.gif\" border=0 \/><\/p><div class=\"pvc_clear\"><\/div>","protected":false},"excerpt":{"rendered":"<p>Especially for business email, using two-factor authentication (2FA) is the right thing to do, but you put yourself at risk by getting codes over SMS (text messages). We explain why. Two-factor authentication (2FA) brings an added layer of security that passwords alone can\u2019t provide. When it comes to email, requiring an extra step for a [&hellip;]<\/p>\n<div class=\"pvc_clear\"><\/div>\n<p id=\"pvc_stats_2324\" class=\"pvc_stats all  \" data-element-id=\"2324\" style=\"\"><i class=\"pvc-stats-icon large\" aria-hidden=\"true\"><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" version=\"1.0\" viewBox=\"0 0 502 315\" preserveAspectRatio=\"xMidYMid meet\"><g transform=\"translate(0,332) scale(0.1,-0.1)\" fill=\"\" stroke=\"none\"><path d=\"M2394 3279 l-29 -30 -3 -207 c-2 -182 0 -211 15 -242 39 -76 157 -76 196 0 15 31 17 60 15 243 l-3 209 -33 29 c-26 23 -41 29 -80 29 -41 0 -53 -5 -78 -31z\"\/><path d=\"M3085 3251 c-45 -19 -58 -50 -96 -229 -47 -217 -49 -260 -13 -295 52 -53 146 -42 177 20 16 31 87 366 87 410 0 70 -86 122 -155 94z\"\/><path d=\"M1751 3234 c-13 -9 -29 -31 -37 -50 -12 -29 -10 -49 21 -204 19 -94 39 -189 45 -210 14 -50 54 -80 110 -80 34 0 48 6 76 34 21 21 34 44 34 59 0 14 -18 113 -40 219 -37 178 -43 195 -70 221 -36 32 -101 37 -139 11z\"\/><path d=\"M1163 3073 c-36 -7 -73 -59 -73 -102 0 -56 133 -378 171 -413 34 -32 83 -37 129 -13 70 36 67 87 -16 290 -86 209 -89 214 -129 231 -35 14 -42 15 -82 7z\"\/><path d=\"M3689 3066 c-15 -9 -33 -30 -42 -48 -48 -103 -147 -355 -147 -375 0 -98 131 -148 192 -74 13 15 57 108 97 206 80 196 84 226 37 273 -30 30 -99 39 -137 18z\"\/><path d=\"M583 2784 c-38 -19 -67 -74 -58 -113 9 -42 211 -354 242 -373 16 -10 45 -18 66 -18 51 0 107 52 107 100 0 39 -1 41 -124 234 -80 126 -108 162 -133 173 -41 17 -61 16 -100 -3z\"\/><path d=\"M4250 2784 c-14 -9 -74 -91 -133 -183 -95 -150 -107 -173 -107 -213 0 -55 33 -94 87 -104 67 -13 90 8 211 198 130 202 137 225 78 284 -27 27 -42 34 -72 34 -22 0 -50 -8 -64 -16z\"\/><path d=\"M2275 2693 c-553 -48 -1095 -270 -1585 -649 -135 -104 -459 -423 -483 -476 -23 -49 -22 -139 2 -186 73 -142 361 -457 571 -626 285 -228 642 -407 990 -497 242 -63 336 -73 660 -74 310 0 370 5 595 52 535 111 1045 392 1455 803 122 121 250 273 275 326 19 41 19 137 0 174 -41 79 -309 363 -465 492 -447 370 -946 591 -1479 653 -113 14 -422 18 -536 8z m395 -428 c171 -34 330 -124 456 -258 112 -119 167 -219 211 -378 27 -96 24 -300 -5 -401 -72 -255 -236 -447 -474 -557 -132 -62 -201 -76 -368 -76 -167 0 -236 14 -368 76 -213 98 -373 271 -451 485 -162 444 86 934 547 1084 153 49 292 57 452 25z m909 -232 c222 -123 408 -262 593 -441 76 -74 138 -139 138 -144 0 -16 -233 -242 -330 -319 -155 -123 -309 -223 -461 -299 l-81 -41 32 46 c18 26 49 83 70 128 143 306 141 649 -6 957 -25 52 -61 116 -79 142 l-34 47 45 -20 c26 -10 76 -36 113 -56z m-2057 25 c-40 -58 -105 -190 -130 -263 -110 -324 -59 -707 132 -981 25 -35 42 -64 37 -64 -19 0 -241 119 -326 174 -188 122 -406 314 -532 468 l-58 71 108 103 c185 178 428 349 672 473 66 33 121 60 123 61 2 0 -10 -19 -26 -42z\"\/><path d=\"M2375 1950 c-198 -44 -350 -190 -395 -379 -18 -76 -8 -221 19 -290 114 -284 457 -406 731 -260 98 52 188 154 231 260 27 69 37 214 19 290 -38 163 -166 304 -326 360 -67 23 -215 33 -279 19z\"\/><\/g><\/svg><\/i> <img loading=\"lazy\" decoding=\"async\" width=\"16\" height=\"16\" alt=\"Loading\" src=\"https:\/\/mailsafi.com\/blog\/wp-content\/plugins\/page-views-count\/ajax-loader-2x.gif\" border=0 \/><\/p>\n<div class=\"pvc_clear\"><\/div>\n","protected":false},"author":1,"featured_media":2338,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"footnotes":""},"categories":[3],"tags":[219,23,227,217],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v23.2 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>SMS for 2FA (Two-factor authentication: Why it&#039;s not a Good Idea | MailSafi<\/title>\n<meta name=\"description\" content=\"Especially for business email, using 2FA is the right thing to do, but you put yourself at risk by receiving codes over SMS\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/mailsafi.com\/blog\/problems-with-sms-for-2fa\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"SMS for 2FA (Two-factor authentication: Why it&#039;s not a Good Idea | MailSafi\" \/>\n<meta property=\"og:description\" content=\"Especially for business email, using 2FA is the right thing to do, but you put yourself at risk by receiving codes over SMS\" \/>\n<meta property=\"og:url\" content=\"https:\/\/mailsafi.com\/blog\/problems-with-sms-for-2fa\/\" \/>\n<meta property=\"og:site_name\" content=\"The MailSafi Blog\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/msgafricaltd\/\" \/>\n<meta property=\"article:published_time\" content=\"2020-11-04T10:35:51+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2020-11-16T14:53:54+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/mailsafi.com\/blog\/wp-content\/uploads\/2020\/11\/sms-for-2fa.png\" \/>\n\t<meta property=\"og:image:width\" content=\"650\" \/>\n\t<meta property=\"og:image:height\" content=\"262\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"the_leaders\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@msgafricaltd\" \/>\n<meta name=\"twitter:site\" content=\"@msgafricaltd\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"the_leaders\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"6 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/mailsafi.com\/blog\/problems-with-sms-for-2fa\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/mailsafi.com\/blog\/problems-with-sms-for-2fa\/\"},\"author\":{\"name\":\"the_leaders\",\"@id\":\"https:\/\/mailsafi.com\/blog\/#\/schema\/person\/d2ec682ba327149927593938af3f9d14\"},\"headline\":\"Are you using SMS for your 2FA? Here\u2019s why you shouldn\u2019t.\",\"datePublished\":\"2020-11-04T10:35:51+00:00\",\"dateModified\":\"2020-11-16T14:53:54+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/mailsafi.com\/blog\/problems-with-sms-for-2fa\/\"},\"wordCount\":1204,\"publisher\":{\"@id\":\"https:\/\/mailsafi.com\/blog\/#organization\"},\"image\":{\"@id\":\"https:\/\/mailsafi.com\/blog\/problems-with-sms-for-2fa\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/mailsafi.com\/blog\/wp-content\/uploads\/2020\/11\/sms-for-2fa.png\",\"keywords\":[\"2fa\",\"email security\",\"SMS for authentication\",\"two-factor authentication\"],\"articleSection\":[\"Email Security\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/mailsafi.com\/blog\/problems-with-sms-for-2fa\/\",\"url\":\"https:\/\/mailsafi.com\/blog\/problems-with-sms-for-2fa\/\",\"name\":\"SMS for 2FA (Two-factor authentication: Why it's not a Good Idea | MailSafi\",\"isPartOf\":{\"@id\":\"https:\/\/mailsafi.com\/blog\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/mailsafi.com\/blog\/problems-with-sms-for-2fa\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/mailsafi.com\/blog\/problems-with-sms-for-2fa\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/mailsafi.com\/blog\/wp-content\/uploads\/2020\/11\/sms-for-2fa.png\",\"datePublished\":\"2020-11-04T10:35:51+00:00\",\"dateModified\":\"2020-11-16T14:53:54+00:00\",\"description\":\"Especially for business email, using 2FA is the right thing to do, but you put yourself at risk by receiving codes over SMS\",\"breadcrumb\":{\"@id\":\"https:\/\/mailsafi.com\/blog\/problems-with-sms-for-2fa\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/mailsafi.com\/blog\/problems-with-sms-for-2fa\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/mailsafi.com\/blog\/problems-with-sms-for-2fa\/#primaryimage\",\"url\":\"https:\/\/mailsafi.com\/blog\/wp-content\/uploads\/2020\/11\/sms-for-2fa.png\",\"contentUrl\":\"https:\/\/mailsafi.com\/blog\/wp-content\/uploads\/2020\/11\/sms-for-2fa.png\",\"width\":650,\"height\":262,\"caption\":\"SMS for 2FA\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/mailsafi.com\/blog\/problems-with-sms-for-2fa\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/mailsafi.com\/blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Are you using SMS for your 2FA? Here\u2019s why you shouldn\u2019t.\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/mailsafi.com\/blog\/#website\",\"url\":\"https:\/\/mailsafi.com\/blog\/\",\"name\":\"The MailSafi Blog\",\"description\":\"We Stop Spam\",\"publisher\":{\"@id\":\"https:\/\/mailsafi.com\/blog\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/mailsafi.com\/blog\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/mailsafi.com\/blog\/#organization\",\"name\":\"Message Labs Africa\",\"url\":\"https:\/\/mailsafi.com\/blog\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/mailsafi.com\/blog\/#\/schema\/logo\/image\/\",\"url\":\"\",\"contentUrl\":\"\",\"caption\":\"Message Labs Africa\"},\"image\":{\"@id\":\"https:\/\/mailsafi.com\/blog\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/msgafricaltd\/\",\"https:\/\/x.com\/msgafricaltd\",\"https:\/\/www.linkedin.com\/feed\/\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/mailsafi.com\/blog\/#\/schema\/person\/d2ec682ba327149927593938af3f9d14\",\"name\":\"the_leaders\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/mailsafi.com\/blog\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/7ca448387530cb3177261ca8cd87ff2a?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/7ca448387530cb3177261ca8cd87ff2a?s=96&d=mm&r=g\",\"caption\":\"the_leaders\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"SMS for 2FA (Two-factor authentication: Why it's not a Good Idea | MailSafi","description":"Especially for business email, using 2FA is the right thing to do, but you put yourself at risk by receiving codes over SMS","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/mailsafi.com\/blog\/problems-with-sms-for-2fa\/","og_locale":"en_US","og_type":"article","og_title":"SMS for 2FA (Two-factor authentication: Why it's not a Good Idea | MailSafi","og_description":"Especially for business email, using 2FA is the right thing to do, but you put yourself at risk by receiving codes over SMS","og_url":"https:\/\/mailsafi.com\/blog\/problems-with-sms-for-2fa\/","og_site_name":"The MailSafi Blog","article_publisher":"https:\/\/www.facebook.com\/msgafricaltd\/","article_published_time":"2020-11-04T10:35:51+00:00","article_modified_time":"2020-11-16T14:53:54+00:00","og_image":[{"width":650,"height":262,"url":"https:\/\/mailsafi.com\/blog\/wp-content\/uploads\/2020\/11\/sms-for-2fa.png","type":"image\/png"}],"author":"the_leaders","twitter_card":"summary_large_image","twitter_creator":"@msgafricaltd","twitter_site":"@msgafricaltd","twitter_misc":{"Written by":"the_leaders","Est. reading time":"6 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/mailsafi.com\/blog\/problems-with-sms-for-2fa\/#article","isPartOf":{"@id":"https:\/\/mailsafi.com\/blog\/problems-with-sms-for-2fa\/"},"author":{"name":"the_leaders","@id":"https:\/\/mailsafi.com\/blog\/#\/schema\/person\/d2ec682ba327149927593938af3f9d14"},"headline":"Are you using SMS for your 2FA? Here\u2019s why you shouldn\u2019t.","datePublished":"2020-11-04T10:35:51+00:00","dateModified":"2020-11-16T14:53:54+00:00","mainEntityOfPage":{"@id":"https:\/\/mailsafi.com\/blog\/problems-with-sms-for-2fa\/"},"wordCount":1204,"publisher":{"@id":"https:\/\/mailsafi.com\/blog\/#organization"},"image":{"@id":"https:\/\/mailsafi.com\/blog\/problems-with-sms-for-2fa\/#primaryimage"},"thumbnailUrl":"https:\/\/mailsafi.com\/blog\/wp-content\/uploads\/2020\/11\/sms-for-2fa.png","keywords":["2fa","email security","SMS for authentication","two-factor authentication"],"articleSection":["Email Security"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/mailsafi.com\/blog\/problems-with-sms-for-2fa\/","url":"https:\/\/mailsafi.com\/blog\/problems-with-sms-for-2fa\/","name":"SMS for 2FA (Two-factor authentication: Why it's not a Good Idea | MailSafi","isPartOf":{"@id":"https:\/\/mailsafi.com\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/mailsafi.com\/blog\/problems-with-sms-for-2fa\/#primaryimage"},"image":{"@id":"https:\/\/mailsafi.com\/blog\/problems-with-sms-for-2fa\/#primaryimage"},"thumbnailUrl":"https:\/\/mailsafi.com\/blog\/wp-content\/uploads\/2020\/11\/sms-for-2fa.png","datePublished":"2020-11-04T10:35:51+00:00","dateModified":"2020-11-16T14:53:54+00:00","description":"Especially for business email, using 2FA is the right thing to do, but you put yourself at risk by receiving codes over SMS","breadcrumb":{"@id":"https:\/\/mailsafi.com\/blog\/problems-with-sms-for-2fa\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/mailsafi.com\/blog\/problems-with-sms-for-2fa\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/mailsafi.com\/blog\/problems-with-sms-for-2fa\/#primaryimage","url":"https:\/\/mailsafi.com\/blog\/wp-content\/uploads\/2020\/11\/sms-for-2fa.png","contentUrl":"https:\/\/mailsafi.com\/blog\/wp-content\/uploads\/2020\/11\/sms-for-2fa.png","width":650,"height":262,"caption":"SMS for 2FA"},{"@type":"BreadcrumbList","@id":"https:\/\/mailsafi.com\/blog\/problems-with-sms-for-2fa\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/mailsafi.com\/blog\/"},{"@type":"ListItem","position":2,"name":"Are you using SMS for your 2FA? Here\u2019s why you shouldn\u2019t."}]},{"@type":"WebSite","@id":"https:\/\/mailsafi.com\/blog\/#website","url":"https:\/\/mailsafi.com\/blog\/","name":"The MailSafi Blog","description":"We Stop Spam","publisher":{"@id":"https:\/\/mailsafi.com\/blog\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/mailsafi.com\/blog\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/mailsafi.com\/blog\/#organization","name":"Message Labs Africa","url":"https:\/\/mailsafi.com\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/mailsafi.com\/blog\/#\/schema\/logo\/image\/","url":"","contentUrl":"","caption":"Message Labs Africa"},"image":{"@id":"https:\/\/mailsafi.com\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/msgafricaltd\/","https:\/\/x.com\/msgafricaltd","https:\/\/www.linkedin.com\/feed\/"]},{"@type":"Person","@id":"https:\/\/mailsafi.com\/blog\/#\/schema\/person\/d2ec682ba327149927593938af3f9d14","name":"the_leaders","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/mailsafi.com\/blog\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/7ca448387530cb3177261ca8cd87ff2a?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/7ca448387530cb3177261ca8cd87ff2a?s=96&d=mm&r=g","caption":"the_leaders"}}]}},"post_mailing_queue_ids":[],"_links":{"self":[{"href":"https:\/\/mailsafi.com\/blog\/wp-json\/wp\/v2\/posts\/2324"}],"collection":[{"href":"https:\/\/mailsafi.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mailsafi.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mailsafi.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/mailsafi.com\/blog\/wp-json\/wp\/v2\/comments?post=2324"}],"version-history":[{"count":10,"href":"https:\/\/mailsafi.com\/blog\/wp-json\/wp\/v2\/posts\/2324\/revisions"}],"predecessor-version":[{"id":2342,"href":"https:\/\/mailsafi.com\/blog\/wp-json\/wp\/v2\/posts\/2324\/revisions\/2342"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/mailsafi.com\/blog\/wp-json\/wp\/v2\/media\/2338"}],"wp:attachment":[{"href":"https:\/\/mailsafi.com\/blog\/wp-json\/wp\/v2\/media?parent=2324"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mailsafi.com\/blog\/wp-json\/wp\/v2\/categories?post=2324"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mailsafi.com\/blog\/wp-json\/wp\/v2\/tags?post=2324"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}