two-factor authentication SMS text messageKeeping our digital accounts secure is a tricky process, especially given how quickly information travels online — as soon as new security methods are developed, cybercriminals work to figure out how to get around them. Besides the fact that people aren’t so great at choosing strong, unique passwords for each of their online accounts, another reason other options for protecting these accounts have been introduced is the simple fact that cracking passwords is old hat for even the most novice of hackers these days. A process known as two-factor authentication (sometimes also referred to as two-factor verification or two-step authentication) has grown in popularity over recent years, and the most popular second “factor” people opt to use to protect and enter their accounts is the receipt of a time-sensitive, single-use code via SMS text message to their mobile device. While this might seem like a brilliant way to definitively prevent anyone trying to break into your account from doing so, new information from top professionals in the information security world indicates that SMS text message verification might not be as secure as we’ve been led to believe.

Why is SMS text message authentication risky?

In theory, it should be a secure method of verifying the identity of a person trying to log into an account. Most people probably assume that even if a person trying to break into their account has their username and password, it is unlikely that they will also have access to their cell phone. However, according to data presented by the National Institute of Standards and Technology (NIST) in its Digital Authentication Guideline 800-63B proposal, that’s not always accurate, as hackers are learning how to break into or otherwise compromise people’s text messages. For example, a popular Twitter activist had his account hacked earlier this year after the perpetrator called his cell service provider and impersonated him (possibly using information obtained via the Internet black market), convincing them to redirect his text messages to a different SIM card — thus enabling the hacker to bypass the SMS text message two-factor authentication process. Twitter only offers a text message option with its two-factor authentication, and it’s not the only service limiting users’ options this way. And in case you’re thinking that public figures are the only ones who need to worry about scams like this, SIM card switching scams have become so prevalent that New York’s Division of Consumer Protection recently issued an official warning.

Another problem with using text messaging as a form of authentication is that VoIP services like Google Voice and Skype make it difficult to tell whether the verification message is traveling over a cell network or through another channel, which could leave it open to interception or redirection. Additionally, if your Google account is compromised, which is not unlikely given the scope of recent data breaches, and you’re using a Google Voice number for your two-factor authentication, then any messages sent to you will be easily accessible by the hacker. Although, in theory, SMS text message authentication assumes that you’re receiving a code on a phone that’s in your personal possession, that’s clearly not always the case — which makes it a vulnerable form of account security.

Other options are available that will provide more reliable security

Although the NIST’s draft proposal is meant for federal agencies, since it’s a part of the U.S. Department of Commerce, there’s a likelihood that the proposed shift away from SMS text message authentication being made here will trickle down to the services and websites general consumers use. Rather than banning SMS text message as an authentication factor altogether, the NIST is suggesting federal agencies instead invest in two-factor authentication technology that focuses on other options. These include biometrics (such as your fingerprints or facial recognition), a secure mobile app which generates single-use codes, cryptographic chips (like those seen in newer-issued credit cards) and physical dongles (like a USB you carry with you and plug into your computer when you want to log in) which generate single-use codes. Each of these options could provide their own issues, but they’re still vastly more secure than SMS text messaging, according to the experts.

So, should you ditch text message two-factor authentication?

In short, no. Many services already enable users to pick an option for two-factor authentication besides SMS text messaging, such as Google which enables the use of its free Google Authenticator app as well as a Security Key, which is a physical USB device you can purchase on your own. And even if you’re using a platform like Twitter or Instagram, which don’t give you a choice beyond using your cell phone number, at the end of the day, opting to use it is still far more secure than just using a password. What the NIST’s proposals show is that the face of two-factor authentication is going to be changing soon, and it’s wise for consumers to pay attention and take the other options when they’re available to them or as they become available. If you want to learn more about how two-factor authentication can protect you and get step-by-step walkthroughs on enabling it for some of the most popular online services, check out LockDownYourLogin.com, a part of the National Cyber Security Alliance’s efforts to raise awareness for National Cyber Security Awareness Month.

To learn more about protecting yourself online as well as offline, you can follow our identity theft protection blog, which keeps up with the latest in security news you need to know and provides tips for staying safe.