RE: Second Factor SMS: Worse than It’s Reputation

Another day, another (big) leak: CCC, Chaos Computer Club, obtained millions of SMS containing Two-Factor Auth (2FA) tokens which where publicly available on the internet.

One-time passwords are often sent via SMS. Security researchers from the CCC recently had live access to over 200 million such SMS messages from more than 200 affected companies.

via https://www.ccc.de/en/updates/2024/2fa-sms

2FA via SMS has long been known to be weak, and the CCC advised against it as early as 2013 (!) – 11 years ago – in a statement available here https://www.ccc.de/en/updates/2013/de-mail-unqualifizierte-makulatur

CCC generally recommends using 2FA if available.

The most-secure are hardware tokens like Yubikey, followed by dedicated apps like Google Authenticator, Microsoft Authenticator, followed by One-Time Passwords in-password-manager Apps like KeePassXC or 1Password, followed by … SMS, which is still a little bit better than no 2FA, even if it is flawed.

I highly recommend KeePassXC. In 2020 I blogged about my setup, which is still similar today.

Links