SMS based 2FA is better than no 2FA

Two layers of defense are better than one layer of defense. This seems logic. But every now and then I end up in a discussion - mainly on Twitter - where people tell me this is wrong. Instead of going into the same discussion over and over again, I'm writing this blog so I can just link to it in the future.

What is SMS based 2FA

If you don't know what 2FA (or two-factor authentication) is I suggest you to read this blog first.

We speak of SMS based 2FA when you need to provide two pieces of evidence to gain access to your account. The first piece of evidence is in most cases a password or pin code, the second piece is a code that you receive via SMS.

You'll only be granted access when you can provide both the password or pin and the code you got sent via SMS.

But SMS can be intercepted by attackers

SMS has several known vulnerabilities that can be exploited by criminals. SIM swapping attacks are the most prevalent threat. This is when criminals transfer a victim's phone number to a SIM card they own. They often use social engineering to trick mobile providers into doing so, but the criminals become more and more creative.

But SMS based 2FA is still better than no 2FA

To gain access to an account that's secured with SMS based 2FA an attacker must know your password and on top of that he has to find a way to intercept the SMS that contains the code. So even with the known vulnerabilities in SMS this is an additional barrier.

The argument I hear all the time:

"But on website X you can reset the password via SMS only"

Password reset via SMS only is just 1FA and something totally different than SMS based 2FA. I totally agree that password reset via SMS only is a serious risk and you should never implement it like this, but don't call it SMS based 2FA, because it isn't.

And also statements like: "randomly generated passwords are always better than SMS 2FA" don't make sense. There are very good reasons why you don't want randomly generated passwords. Troy Hunt did a very good write-up about why this is not a realistic implementation. And relying on a password only - whether it is randomly generated by the website or chosen by the user - is always less secure than any implementation of 2FA.

Conclusion

Whenever you have the option to enable 2FA on a website or for an app, do it! Yes even if the only available option is SMS based 2FA. Of course if you can you should use software tokens (TOTP) or even the more secure hardware tokens (security keys). But keep in mind, SMS based 2FA is better than no 2FA!