Why 2FA is not bulletproof security

Every once in a while we’re asked the question of which authentication is better, is it using SMS text messages or an application like Google Authenticator? The truth is, both have weaknesses, but one is far weaker than the other. Can you guess which one?

If you guessed SMS texting is less secure, you’re correct. SMS has evolved into a vital dependency for pretty much all of us. SMS, or short message service, we designed for simplicity with literally no security protocols at all. Although its evolution has incorporated more security protocols, it’s still inherently deficient to rely upon for security processes. The biggest problem with SMS-based two-factor authentication is what’s known as SIM card swapping. SIM cards are the internal little cards that tie your mobile device to your telephone carrier, and therefore your cell number. Scammers use various tactics to track your cell phone carrier into switching your device information to their own phones, ie – swapping the SIM card. They’ll tell your carrier you have a new phone, or otherwise convince them they are you, and the process has begun. To trick the carrier, they’ll use social engineering to learn about you so they can guess your security questions. They also utilize breached information on you they’ve purchased from the dark web. Sadly, these scammers can reside anywhere in the world. To make matters worse, some SIM swapping is an inside job – mobile carrier employees working with other criminals to commit the theft. Once your SIM has been swapped, they’re now able to intercept all of your data and text messages, rendering your SMS 2FA completely ineffective – they’re receiving the codes themselves.

The alternative to SMS 2FA is the use of authenticator applications. If you have the choice, we recommend this approach. Microsoft, Google, and others have authenticator applications that keep a series of random numbers cycling to your device. These applications rely upon a shared secret stored on your device and on their servers (these are most often a unique QR code). The risk with this approach is the potential of the authentication servers being hacked, and those “seeds” getting exposed.

While neither approach is bulletproof, either is far better than none, and the latter is better than SMS. If you have a choice, choose to enable 2FA. If you can choose between SMS or an authentication app, choose the authentication app.

If you have questions about setting this up for yourself, give us a call. We’re always happy to assist.


If you have any questions or if you are concerned about your organization’s cybersecurity, give us a call at (800) 970-0402. We’ll be happy to help.


For more HIPAA information, download our ebook – The Ultimate HIPAA Compliance Handbook.

The HIPAA Security Rule requires the implementation of a security awareness and training program for all members of its workforce (including management). Have your team sign up for a weekly HIPAA Security Reminder to help stay compliant.