Why Phone-Based Authentication Can Be Insecure

Cyber criminal’s delight?

by
Sascha Brodsky headshot
Tech News Reporter

Sascha Brodsky is a freelance journalist based in New York City. His writing has appeared in The Atlantic, the Guardian, the Los Angeles Times and many other publications.

our editorial process
Sascha Brodsky
Published November 17, 2020

Key Takeaways

  • Hackers can steal phone-based multi-factor authentication (MFA) codes, experts say. 
  • Phone companies have been tricked into transferring phone numbers to allow criminals to get the codes.
  • A simple, low-cost way to increase security is to use the authenticator app on your phone. 
Hands on a keyboard with a smartphone, wallet, and card reader lined up above it.
Photographer, Basak Gurbuz Derman / Getty Images 

To stay safe from hackers, stop using phone-based multi-factor authentication (MFA) codes sent via SMS and voice calls, a top security expert writes in a new analysis. 

Phone codes are vulnerable to interception by hackers, Alex Weinert, director of identity security at Microsoft, wrote in a recent blog post. Text-based codes are better than nothing, observers say. But users should replace phone-based authentication with apps and security keys. 

"These mechanisms are based on publicly switched telephone networks (PSTN), and I believe they’re the least secure of the MFA methods available today," he wrote.

"That gap will only widen as MFA adoption increases attackers' interest in breaking these methods and purpose-built authenticators extend their security and usability advantages. Plan your move to passwordless strong auth now—the authenticator app provides an immediate and evolving option."

MFA is a security method in which a computer user is granted access to a website or application only after successfully presenting two or more pieces of evidence to an authentication mechanism. These codes are often sent by phone. 

Hackers Pretend to Be You

There are ways hackers can get access to phone codes, however, observers say. In some instances, phone companies have been tricked into transferring phone numbers to allow hackers to get the codes.

"Telephones are so insecure that users will often get scam calls routed to them from third-world countries while showing American regional phone numbers," Matthew Rogers, CISO of cloud provider Syntax, said in an email interview. "Telephones are also subject to SIM swapping attacks, which can easily bypass MFA via text message."

Recently, popular BBC radio host Jeremy Vine was victimized with an attack that led to his WhatsApp account being penetrated.

"The attack that successfully tricked Vine starts with the receipt of a seemingly unsolicited SMS message that contains the two-factor authentication code to their account," Ray Walsh, data privacy expert at the privacy review site ProPrivacy, said in an email interview.

"Following that, the victim receives a direct message from a contact claiming to have sent them a code by accident. Finally, the victim is asked to forward the hacker the code, which gives them instant access to the victim’s account."

Software can also be a problem. "Due to device vulnerabilities, the MFA could potentially be eavesdropped by a leaky app or a compromised device the user is not aware of," George Freeman, solutions consultant at the government group of LexisNexis Risk Solutions, said in an email interview. 

Don’t Give Up Your Phone Yet

However, text-based MFA is better than nothing, experts say. "MFA is one of the most powerful tools a user has to protect their accounts," Mark Nunnikhoven, vice president of cloud research at cybersecurity company Trend Micro, said in an email interview.

"It should be enabled whenever possible. If you have the choice, use an authentication app on your smartphone—but in the end, just make sure that MFA is enabled in any form." 

A simple, low-cost way to increase security is to use the authenticator app on your phone, Peter Robert, co-founder and CEO of IT company Expert Computer Solutions, said in an email interview.

“If you have the budget and consider security critical, I would encourage you to evaluate hardware-based MFA keys," he added. "For businesses and individuals who are concerned about security, I would also recommend a dark web monitoring service to let you know if personal information about you is available and for sale on the dark web."

Closeup of a finger on a fingerprint scanner.
honestmike / Getty Images 

For a more Mission Impossible-style approach, the new standard FIDO2 with Webauthn uses biometric authentication, Freeman says. "The user connects to a financial site, enters a username, the website contacts [the] user’s mobile device, a secure app on [the] phone then prompts the user for [their] facial ID or fingerprint. When successful, it then authenticates the web session," he said. 

With so many possible threats, it might be time to start looking for more secure ways to log on to websites that store personal information. Hackers could be lurking on the web just waiting to intercept your password.