Why shouldn’t you use your phone number for two-factor authentication?

sms seguridad.jpg
sms seguridad.jpg

Two-factor authentication (2FA) is an essential security measure to protect your online accounts. However, using your phone number as an authentication method can put your security at risk.

There are many ways to define two-factor authentication, from using the Google Authenticator app to the typical way of receiving an SMS, but not all are equally secure.

They remind us at Lifehacker. The weakness of passwords is that anyone can know yours, and password leaks are becoming more common. 2FA solves this problem by requiring both your password and access to a trusted device to authenticate your identity. Depending on the 2FA method you set up, the system will send you a code via SMS, ask you to retrieve the code from an authenticator app, or ask you to plug in a physical security key to confirm your identity.

Although any authentication method is better than nothing, SMS is the weakest method, as phone numbers are not a secure form of identification. Attackers can trick network operators into transferring your phone number to their SIM card, in an attack known as SIM swapping, or pay another company to redirect your text messages to their number. In both scenarios, they will receive your 2FA codes and be able to log into your accounts without any issues.

Using your phone number as a username for your accounts also poses risks, as there are many recycled phone numbers in circulation. There’s a chance the number you have belonged to someone else, and if that person also used it for an account without changing it, logging in with those digits could grant you access to their account.

That is why it is recommended to use more secure authentication methods, such as authenticator apps or security keys. Authenticator apps, like the aforementioned Google Authenticator, generate a unique code every 30 seconds that is associated with your account. Physical security keys act like an authenticator app in physical form and require you to connect your device to the security key to authenticate your identity.

Even so, there are viruses that can capture codes from these platforms, so you can never relax.

Do not use the phone number as a backup, it is not a good idea.