We need to talk… about SMS-based two step authentication

We like you. Whether you’re defending human rights or simply enjoying them, we want you to be protected from thieves and spies. That’s just one of the many reasons we recommend that you enable two-factor authentication on all your digital accounts. In 2016, approximately 20% of cases handled by our Digital Security Helpline involved account recovery. Enabling two-factor (or multi-factor) authentication gives you an added layer of protection to make sure your accounts are not compromised. However, not all two-factor authentication methods are created equal. And in fact, some can even be harmful.

In the infographic about types of two-factor authentication published by Access Now, we told you to “avoid” using SMS-based two-factor options. Today, we’d like to explain further why we made that recommendation.

Here’s how SMS-based two-factor works: Many accounts will allow you to provide a phone number as a secondary means of authentication. When you log in to an account from a new location, with a new device, or with a setup that your provider finds unusual for whatever reason, the system will send you a code via text message to verify your identity. (Some systems require you enter a code every time.) You then enter that code to prove that you are the trusted user. The problem is that this system has several flaws.


The first problem is the most simple. This system requires you to associate a phone number with an account. In a world where we cannot trust companies to protect our data, there are many reasons why someone would not want to provide a company with their phone number. And the problem is even worse for the users most at risk. In many places around the world, social media accounts are how people engage in political discussions. By providing a phone number, an activist or government critic could be revealing their identity and face legal repercussions.


A text message to a phone is supposed to prove that you have control of the phone, but that is actually not true for several different reasons.

  • Text messages will show up on a locked device by default. Anyone near a phone can see the code, even if you’re using a strong passcode on the device.
  • Text messages are frequently forwarded to multiple devices (like laptops and tablets) under one account, which exacerbates problem number one.
  • Attackers can hijack your text messages by counterfeiting your SIM card or infiltrating your phone carriers. For example, Black Lives Matter activist DeRay McKesson had his phone compromised when an adversary simply called his mobile provider and asked them to send a new SIM card.
  • In addition to hijacking your device, mobile networks themselves are not secure. A sophisticated adversary can simply reroute the text messages in transit. The entire point of a mobile phone is to be able to communicate with people. My mobile phone in Washington D.C. (Verizon) needs to be able to communicate with my friend’s phone in Hong Kong (China Mobile). Mobile networks built and administered by different companies need interoperability. The system is called Signaling System 7. This interoperability allows Verizon to ask China Mobile for information at machine speed. That default openness can also allow a more sophisticated adversary to reroute text messages — meaning the codes sent to verify that I am the owner of the account could end up anywhere.

The bottom line is that SMS-based text messages are not an ideal way to protect your accounts. Some users feel that SMS is better than nothing for enhancing account security, but for some people using a phone number to protect their accounts, it can provide a false sense of security or cause them to expose themselves to greater risk. That’s why we recommend you avoid SMS-based two-factor authentication in favor of one of the several other methods available.