SMS is not a proper form of 2FA - use Google Authenticator instead

SMS text messages sent to your phone are not a valid form of 2FA since the hackers will just call your phone company claiming to be you and your phone was damaged. They get a replacement SIM, access everything linked to your phone.

Google Authenticator and Authy and similar forms of 2FA that reside on your device are the way to go.

What happens with Google authenticator if you lose your phone?

When you set up a new service with Google authenticator you should see a Seed string that is used to calibrate your phone with the service. You can and should store that seed in a (very) safe place. If and when your phone is damaged or lost you can then simply install Google Authenticator on a new device and re-enter the seed.

Use 2FA wherever and whenever you can – on ALL your accounts!

This can't be emphasized enough. If, for example, your email is weak, an attacker will exploit it to reset passwords and get access to more stuff.

Comments

  1. I've been hacked once only and the attacker got into my DNS registrar (there was no 2FA) and installed a blanket email redirect so all email for a domain was going to the attacker. In this case my actual email had strong passwords but my domain registrar account didn't, resulting in the attacker getting my emails.

    Use 2FA wherever and whenever you can.

    ReplyDelete

Post a Comment

Popular posts from this blog

Do not use (only) flash memory (SSD drives, hardware wallets, USB flash drives) for your precious private keys!

Archiving private keys - TLDR version

[ad removed]