News > Internet & Security Why Phone-Based Authentication Can Be Insecure Cyber criminal’s delight? By Sascha Brodsky Sascha Brodsky Senior Tech Reporter Macalester College Columbia University Sascha Brodsky is a freelance journalist based in New York City. His writing has appeared in The Atlantic, the Guardian, the Los Angeles Times and many other publications. lifewire's editorial guidelines Updated on November 23, 2020 12:37PM EST Fact checked by Rich Scherr Fact checked by Rich Scherr Twitter University of Maryland Baltimore County Rich Scherr is a seasoned technology and financial journalist who spent nearly two decades as the editor of Potomac and Bay Area Tech Wire. lifewire's fact checking process Tweet Share Email Tweet Share Email Internet & Security Mobile Phones Internet & Security Computers & Tablets Smart Life Home Theater & Entertainment Software & Apps Social Media Streaming Gaming Key Takeaways Hackers can steal phone-based multi-factor authentication (MFA) codes, experts say. Phone companies have been tricked into transferring phone numbers to allow criminals to get the codes.A simple, low-cost way to increase security is to use the authenticator app on your phone. Photographer, Basak Gurbuz Derman / Getty Images To stay safe from hackers, stop using phone-based multi-factor authentication (MFA) codes sent via SMS and voice calls, a top security expert writes in a new analysis. Phone codes are vulnerable to interception by hackers, Alex Weinert, director of identity security at Microsoft, wrote in a recent blog post. Text-based codes are better than nothing, observers say. But users should replace phone-based authentication with apps and security keys. "These mechanisms are based on publicly switched telephone networks (PSTN), and I believe they’re the least secure of the MFA methods available today," he wrote. "That gap will only widen as MFA adoption increases attackers' interest in breaking these methods and purpose-built authenticators extend their security and usability advantages. Plan your move to passwordless strong auth now—the authenticator app provides an immediate and evolving option." MFA is a security method in which a computer user is granted access to a website or application only after successfully presenting two or more pieces of evidence to an authentication mechanism. These codes are often sent by phone. Hackers Pretend to Be You There are ways hackers can get access to phone codes, however, observers say. In some instances, phone companies have been tricked into transferring phone numbers to allow hackers to get the codes. "Telephones are so insecure that users will often get scam calls routed to them from third-world countries while showing American regional phone numbers," Matthew Rogers, CISO of cloud provider Syntax, said in an email interview. "Telephones are also subject to SIM swapping attacks, which can easily bypass MFA via text message." Recently, popular BBC radio host Jeremy Vine was victimized with an attack that led to his WhatsApp account being penetrated. "The attack that successfully tricked Vine starts with the receipt of a seemingly unsolicited SMS message that contains the two-factor authentication code to their account," Ray Walsh, data privacy expert at the privacy review site ProPrivacy, said in an email interview. "Following that, the victim receives a direct message from a contact claiming to have sent them a code by accident. Finally, the victim is asked to forward the hacker the code, which gives them instant access to the victim’s account." Software can also be a problem. "Due to device vulnerabilities, the MFA could potentially be eavesdropped by a leaky app or a compromised device the user is not aware of," George Freeman, solutions consultant at the government group of LexisNexis Risk Solutions, said in an email interview. Don’t Give Up Your Phone Yet However, text-based MFA is better than nothing, experts say. "MFA is one of the most powerful tools a user has to protect their accounts," Mark Nunnikhoven, vice president of cloud research at cybersecurity company Trend Micro, said in an email interview. "It should be enabled whenever possible. If you have the choice, use an authentication app on your smartphone—but in the end, just make sure that MFA is enabled in any form." A simple, low-cost way to increase security is to use the authenticator app on your phone, Peter Robert, co-founder and CEO of IT company Expert Computer Solutions, said in an email interview. “If you have the budget and consider security critical, I would encourage you to evaluate hardware-based MFA keys," he added. "For businesses and individuals who are concerned about security, I would also recommend a dark web monitoring service to let you know if personal information about you is available and for sale on the dark web." honestmike / Getty Images For a more Mission Impossible-style approach, the new standard FIDO2 with Webauthn uses biometric authentication, Freeman says. "The user connects to a financial site, enters a username, the website contacts [the] user’s mobile device, a secure app on [the] phone then prompts the user for [their] facial ID or fingerprint. When successful, it then authenticates the web session," he said. With so many possible threats, it might be time to start looking for more secure ways to log on to websites that store personal information. Hackers could be lurking on the web just waiting to intercept your password. Was this page helpful? Thanks for letting us know! Get the Latest Tech News Delivered Every Day Email Address Sign up There was an error. Please try again. You're in! Thanks for signing up. There was an error. Please try again. Thank you for signing up! Tell us why! Other Not enough details Hard to understand Submit