3aIT Blog

A padlocked gateFor many years, the primary method of two factor authentication for online accounts has been via text message. You provide your mobile number, then you get a code sent to your phone that you input so that even if someone knows your password, they still can't access your account. Google is the latest company to begin to actively move people away from that approach for security reasons.

In Google's case, they will be pushing people towards using a One Time Passcode app to generate the key. They provide one of these themselves (Google Authenticator), although there are many others available. This is an app that runs on your phone that generates a new six digit code every 30 seconds for every account you have registered. Unless you have access to these codes, you can't get into the accounts.

Google is not the only one making this change. For a while now, Microsoft have been nudging people away from using the SMS method to secure their 365 accounts, and are planning on removing this option entirely in the coming months. Their preferred approach is for you to use their dedicated Authenticator app, although they do provide the alternative of using a One Time Passcode generator if you prefer. In other words, if you're currently getting your 365 2FA codes by text message, you should be looking to switch this at a convenient moment, or risk getting forcibly switched in a few months when you're inevitably in the middle of 6 different things!

The primary reason for this shift is the rise in so called "SIM Swap" fraud. This is where a fraudster manages to convince a mobile provider to transfer your number to them. If successful, they then have access to all the 2FA codes that are sent by text. This is not possible with One Time Password apps, as they are locked to the device and not the phone number.

Our advice - Switch to Passkeys where you can

As we have mentioned before, there is a better solution to this sometimes painful process - Passkeys. These perform a similar function to the various authentication apps, but in a way that requires no user input at all. You register one or more devices as the "key" that unlocks that account, and if someone tries from a device that doesn't have that key registered, they can't get in. Many companies and systems are rolling this out now. If you're running Windows 11 or recent Apple OS and have a mobile bought in the last couple of years or so, you probably have everything you need to make the switch to Passkeys. We would recommend this approach for anyone that wants to do away with all the 2FA hassle. This is likely to become the primary way to log into things within the next couple of years, so you may as well work out how it works now!

Just as a final caveat to all this, it should be said that despite the security risk, using SMS-based 2FA is still infinitely better than using no 2FA at all. Even the most complex passwords can be cracked these days, then you also have the ever-present risk of entering your password into a well crafted phishing site. It really is just a matter of time until any account that is secured by just a password is compromised.