"Turn off your Two Factor Authentication..."

“Turn off your Two Factor Authentication…”

Going on holiday can cause headaches for people making use of two factor authentication – perhaps some of you reading this now are already familiar with the “I can’t receive SMS while overseas, may as well turn it off” dance. In fact, one Australian Government Twitter feed has caused a bit of a furore by making this a piece of actual advice, with the inevitable backlash tagging along for the ride.

While they may have a very specific set of circumstances for their website setup which means everyone is locked into SMS, it’s worth noting that there are a number of two factor authenticators out there which don’t use SMS at all (see: “offline tokens”) and so can be used anywhere, anytime whether connected to the Net or not. One of the most popular is Google Authenticator, which works with everything from Lastpass, Facebook and Google services (naturally) to Tumblr, Salesforce and Amazon. In fact, it also works with a number of videogames like Guild Wars 2 and EVE Online. Whatever you make use of in your day to day online dealings, you’ll likely find an offline authenticator will do the same job as one of its SMS brethren.

Another benefit of going offline and ditching SMS is that you potentially reduce the window of opportunity for an attacker. One scam attempt where SMS verification is concerned is for the attacker to obtain the mobile number, then phone the network claiming the device has been lost. If they’re able to convince the network to forward SMS to their “new” phone, then they now have access to the bit that’s supposed to be more secure than your regular password. If they’ve already phished that (or obtained it via Malware) then you’re in trouble.

Two factor is a great way to shore up some accounts, but we’d only suggest switching the feature off as an absolute last resort. If you must do this, at least ensure your password is a decent one. The tradeoff here is that if you’re on a phone for your Internet wanderings with no laptop in sight, it isn’t exactly practical to type in a fifty character password, much less remember it. As a result, switching off two factor may cause a knock on effect of “I’ll just make my password five characters in length, what could possibly go wrong”.

Don’t do this.

Instead, consider making use of a mobile password manager. A password on its own isn’t as good as having two factor enabled, but it’s certainly a whole lot better than “Password1”.

Whatever you decide to do with your logins, do the best you can to keep them safe – and if you’re not making use of two factor yet, it might be worth throwing onto your list of 2016 New Year’s Resolutions.

Christopher Boyd


Christopher Boyd

Former Director of Research at FaceTime Security Labs. He has a very particular set of skills. Skills that make him a nightmare for threats like you.