Two factor authentication is widely recommended as a security practice to give an extra layer of protection to your network and personal accounts, but according to security researchers, if you use SMS texts as your second form of authentication, they could be subject to interception and exploitation.
Security researchers demonstrated how easily they were able to manipulate the two-factor set up on a Bitcoin wallet account, simply by intercepting the text message sent over the cellular network. Once they reset the password to the Gmail account associated with the wallet, it was easy for them to take control of the wallet itself.
This might sound like a problem with the wallet, but it’s really a telecom issue. According to Verge, the network telecom companies use (known as the SS7 network) to keep track of phone calls and messages between phones has a number of vulnerabilities, and while access to this network is supposedly restricted, there are plenty of hijacking services available for hire.
Two factor is an important layer of security for your accounts, but like anything else, it is not a silver bullet and can be broken. Keep two factor but consider other security measures such as restricted admin access and a strong firewall. Other forms of authentication include a code (not SMS text) sent to your phone using an app like Duo or Google Authenticator. You can also use something physical you own besides your phone, such as a USB drive or keyfob.
Online Tech offers two factor authentication for VPN access, with the secondary authentication of the client’s choice, including push notification, passcode, text (if you’re really sold on it) or phone call. We take data protection very seriously and believe this is one of the best ways to protect our clients from unauthorized network access, account takeover and data theft.
Keep two factor authentication as mentioned before, but use an alternate method for secondary authentication that doesn’t involve text messages. Until the cellular network is strengthened, this form of authentication is risky and should not be used.