How to *securely* use SMS two-factor authentication (2FA)

Any form of two-factor authentication (2FA) is better than just username/password. However, sending one-time passcodes (OTP) over text message (SMS) is a notoriously weak form of 2FA. All the way back in 2016 Forbes was publishing horror stories about people getting their Bitcoin stolen due to vulnerabilities with SMS 2FA.

Even though there are more secure alternatives–like U2F Security Keys and OTP mobile apps (like Google Authenticator)–many sites still only support SMS 2FA. And many more default to SMS 2FA. Using it is better than nothing. And in this blog, I’ll show you how to do so securely.

What’s the issue with SMS 2FA?

When prompted to enroll a phone number, most people use their mobile phone number. Makes sense, right? Your mobile device receives text messages (check), and is in your pocket 99.99% of the time (check). But the problem is… you don’t control your mobile phone number–your telco does (Verizon, TMobile, AT&T, etc.).

With only a few relatively easy-to-obtain pieces of personal information, like social security number and phone number, a hacker can trick an operator into porting your number to their device. Once you lose control over your phone number, you are essentially locked out of your accounts!

how can you take advantage of, and control over, the additional account security SMS OTP offers?

Use Google instead!

Most people have a Google account. If you don’t already, sign up for one! Next, sign up for a Google Voice phone number. Your Google Voice account can be used to make and receive phone calls and send and receive text messages! And fortunately, Google supports strong security. Once you have a Google Voice number, follow these steps:


Step 1: Purchase at least one U2F key on Amazon, like a Yubikey.

Step 2: Download an OTP app to your smartphone, like Google Authenticator.

Step 3: With your U2F key(s) in hand and an OTP app on your phone, configure your Google 2FA account settings:

  • Register your U2F key(s) and OTP app against against your Google Account.
  • Remove your mobile phone number as a 2FA option for access to your Google account.


Step 4: Download the Google Hangouts app to your smartphone and your computer.

Step 5: Go back to all your high value accounts and replace your mobile phone number with your Google Voice number.

Now, anytime OTPs are sent to you via SMS, the message will be sent to your Google Voice number, not your mobile phone number. If you followed Step 4 above, you will still have access to the OTPs on your mobile device and computer via the hangouts app. Net-net, no convenience lost.

How is this more secure?

Your Google Voice number can not be tampered with without access to your Google account, which is now secured with multiple forms of strong authentication (none of which include a mobile phone number). Now you control the number where important security text messages are sent–not some anonymous network support representative, based who-knows-where! This simple update is quick and affordable to setup, offers similar usability and convenience, and most importantly, gives you more control over your account security. Mission accomplished!


Need to support 2FA for your organization?

If your organization wants to offer people strong and secure 2FA, take a look at the free open source Gluu Server. With a Gluu Server, your organization can enforce strong authentication for many web & mobile apps in one place. Gluu supports open web standards like OpenID Connect for single sign-on (SSO), and a variety of strong authentication mechanisms including U2F Keys, OTP apps, and our own free and secure mobile push app, Super Gluu.

Have an IAM project?