Goodbye SMS, messages are something of a security disaster. These unencrypted, open-form text messages travel across multiple unsecured networks, from sender to recipient.

The system is a throwback to a long-gone era. This is becoming better known when we message one other—thus the rise of encrypted alternatives, WhatsApp, iMessage and Signal. But, ironically, that same SMS system has become the default delivery mechanism for most two-factor authentication (2FA) codes. And that’s not good.MORE FROM FORBESChinese Hackers Just Gave Us All A Reason To Stop Sending SMS MessagesBy Zak DoffmanRecommended For You

  • How Hackers Use An Ordinary Light Bulb To Spy On Conversations 80 Feet Away
  • No, The U.S. Has Not Suffered The Biggest Cyber-Attack In History: Here’s What Actually Happened
  • Hidden Apple iOS 13.6 Text Reveals Epic New iPhone Feature Could Drop Any Minute Now

This is an issue for many, many reasons. An SMS is delivered to a phone number without any user authentication—biometric or passcode security measures protect our physical devices, not our numbers, they are separate. This opens us up to SIM-swapping, to social engineering scams to steal those six-digit codes, to malware that captures and exfiltrates screen shots of incoming messages.

For all those reasons, and more, the advice is now to avoid SMS-based 2FA if you can. Now, clearly, SMS is much better than nothing at all. And the token or special key alternatives are a stretch for most people Goodbye SMS. So, if you can tie 2FA to the biometric or passcode security of a known device, then that’s a vast improvement. Apple does this brilliantly. And Google is fast making this the default as well.

PROMOTEDCivic Nation BRANDVOICE | Paid ProgramUncertain Little MeUNICEF USA BRANDVOICE | Paid ProgramSupporting Black Children’s Emotional Health Amid Racial InjusticeGrads of Life BRANDVOICE | Paid ProgramHow The Private Sector Can Help Educators With Online Learning

“Starting on July 7,” the tech giant confirmed in a blogpost on June 16, “we will make phone verification prompts the primary 2-Step Verification (2SV) method for all eligible users.” The plan is to switch Google account holders to this setting, preventing the majority simply defaulting to an SMS message or voice call.

There is a downside—all devices a user is logged into will receive the prompt, and that will require some rejigging for families sharing devices. And users who have security keys won’t see a change. If the phone prompt doesn’t work for you, you can escape to an SMS during the verification process—but Google Goodbye SMS does not recommend this.

Google explains that this shift is both more secure and easier, “as it avoids requiring users to manually enter a code received on another device.” In taking the decision to make this the “primary method” for 2FA, Google says “we hope to help [users] take advantage of the additional security without having to manually change settings—though they can still use other methods of 2-Step Verification if they prefer.”

This is a great step in the right direction and needs to be followed by others. With the increasing use of multi-device access to our various platforms, it is a great idea to use an authenticated device to verify a new logon. Anyone using SMS-based 2FA with an enterprise-based Office 365 account, for example, will know how painful and clunky the process is—there are better ways to handle the problem.

For an attacker to spoof this system requires physical access to one of your logged-on devices where they will see the prompt. Users will also be able to review and remove devices they no longer want to have access to this security option. And because the prompt hits all logged-on, authorized devices at once—you will immediately know if an attempt is being made to open your account without your knowledge.

There will be users out there who have not yet opted for 2FA at all… suffice to say, your accounts are basically wide-open. Research has shown that any form of 2FA removes more than 90% of the risk of a successful account compromise. This latest Google move just makes that safer still.

Originally Publish at: