Blog Home RSS Kelvin Jackson

Do Not Use SMS for 2FA


That's it. That's the blog post.

Smarter people than me have already explained why this is a security risk, and I will not rehash that here. But on top of the security holes it opens, SMS two-factor authentication poses serious practical challenges.

Two-factor authentication by text message raises all sorts of problems for people who don't always have phone service, or who otherwise do not always have access to a particular phone number. I, for instance, have two phone numbers: one for North America, and another for Europe. While (thankfully) it is technically possible to access the North American phone number when I am in Europe, doing so is a hassle, and I can easily imagine a situation where it would be impossible. I have heard similar stories from people in remote regions where they might have internet, but generally do not have cell service. And yet, many web-based sevices require SMS-based authentication to log in, only allow the user to add one phone number, and sometimes even require the phone number to be from a particular country.

Just don't do it. Please. There are plenty of good authenticator apps out there that you can use instead. Don't force your customers to jump through unnecessary hoops just to use your service, and don't assume that they will stick around when they finally get fed up.