You Shouldn’t Use Your Phone Number for Two-Factor Authentication, Anyway (2024)

You should be using two-factor authentication (2FA) with each and every one of your accounts that allows it. You probably already do for at least some accounts, and it probably pisses you off from time to time. Every time you try to log in, you need to find your phone, check the code they texted you, and enter it to proceed. It’s all worth it in the name of account security though, right? Well, kinda. If you’re using your phone number to log into accounts, you’re actually putting yourself at unnecessary risk.

Why 2FA makes your accounts more secure

The problem with passwords is everyone knows yours. Sure, that’s hyperbole, but password leaks are all too common, and add up to billions of known passwords living on the internet for anyone to find and use. Worse yet, many of us forgo the advice to use a strong and unique password for every one of our accounts, opting to reuse the same, weak password for “easier” logins. If that password is leaked, all the accounts you use it for are compromised.

2FA fixes this problem by requiring both your password and access to a trusted device in order to authenticate yourself. Once you enter the correct password, 2FA then requires a corresponding code or device to let you in. Depending on the 2FA method you set up, the system might text that code to you (SMS-based), ask you to retrieve the code from an authenticator app, or require you to connect to a physical security key to confirm your identity.

When you set up 2FA, it doesn’t matter if a hacker steals your password: Without access to the 2FA authentication code or device, they’re stuck.

SMS-based 2FA is the weakest kind

Any additional form of authentication is better than nothing. However, SMS is the weakest method available. Phone numbers simply aren’t a secure form of identification. Bad actors can trick network carriers into transferring your phone number to their SIM card, in an attack known as SIM swapping, or pay another company to reroute your text messages to their number. In either scenario, they’ll receive your SMS 2FA codes, and will be able to break into your accounts without issue.

It isn’t just a 2FA problem, either. Relying on your phone number as a username for your accounts poses risk as well. There are so many recycled phone numbers in this country, there’s a good chance you have a number that used to belong to someone else. And if that person also used that number for an account without changing it, signing in with those digits might grant you access to their account. It’s a big problem for WhatsApp, with reports of users losing access to accounts because someone logged in with their old number.

We can thank Twitter for the renewed SMS-based discussion

SMS 2FA is in the news thanks to Elon Musk’s Twitter, which is doing away with the authentication method for free accounts. Starting March 20, only Twitter Blue subscribers will have access to SMS-based 2FA. The app will then deactivate SMS 2FA for any customers who continue to greedily horde their $8 from Musk.

Twitter will continue to support other forms of 2FA for free. Even still, the move is stupid. It’s hard enough to get users to adopt advanced security methods like 2FA in the first place. While some might take the time to set up another form of 2FA, many will not, meaning a significant slice of Twitter’s user base will be vulnerable come March 20. What would be smart would be to encourage your user base to switch to a more secure form of 2FA. Since Elon won’t, I will: Please use a more secure 2FA method.

You should use authenticator apps or security keys for 2FA instead

Whether you’re trying to protect your free Twitter account or any other, choosing a different 2FA option when available can shore up your security.

The most convenient alternative is using an authenticator app. A dedicated authenticator app, like Google Authenticator (iOS | Android) or Microsoft Authenticator (iOS | Android) ties your account to a 2FA code that generates every 30 seconds. When it’s time to log in, you open the app, check the code, then enter it. It eliminates the risk of someone remotely hijacking the process, since they’ll need physical access to the device containing the authenticator app to see the code. Apple even has a built-in authenticator in the password managers on iPhone and Mac, so you don’t need to download anything extra to get started.

Another secure 2FA option is the security key, which acts like an authenticator app in physical form. With this option set up, your account will ask you to connect your device to the security key, either by directly plugging it into the device, or through wireless communication like NFC. It’s far less convenient than using a free authenticator, but provides serious security for your accounts.

So, let’s let phone numbers be phone numbers, and reserve them for calls and texts. Leave the authenticating to the pros, and we’ll all be a little safer online.