Use google authenticator backup code
A hacker would have to be ridiculously lucky (anything’s possible, I guess) or have possession of your physical device to gain access to the code. The code also changes every 30 seconds or so as an added measure of protection - it’s next to impossible for a hacker to guess at the right code when it changes so frequently. You’re just getting a push notification in some cases.” How to choose and use an authenticator appĪuthenticator apps work the same way text-based 2FA does, but instead of having a code sent to you via text, the code appears in the app. “They’re really easy to use, they’re super secure, and they’re also convenient. “That’s our whole purpose of really promoting these authentication apps,” Akhil Talwar, director of product management for LastPass, which makes a password manager and an authenticator app, told Recode.
I’m here to tell you that it’s not intimidating, and it is worth it. Some people might find that - choosing and downloading another app, scanning QR codes, accepting tokens - to be too intimidating or simply not worth the extra effort. There are now more ways to compromise an SMS service than they can hope to fix.”īasically, if you’re using texts or your phone number to verify your identity, it’s time to consider something else.Īuthenticator apps - which are usually free - take a few more steps to set up than text-based authentication.
And we built a bunch of security services on top of it. “It was designed to be a cheap way of sending messages. “SMS, as a technology, has been around for a long time,” Marc Rogers, executive director of cybersecurity at Okta, an identity authentication technology company, told Recode. And, as Vice reported in March, hackers have found other SMS exploits that don’t even require access to your SIM card. Putting a PIN on your SIM might prevent some of this, but it’s not foolproof. There have also been cases of mobile carrier employees accepting bribes to switch SIMs, in which case a hacker wouldn’t have to know much about you at all. If a hacker knows enough about you to convince your mobile carrier that they are you, an unsuspecting customer service representative might switch your SIM to them. But as Burns’s story shows, you don’t have to be a famous billionaire to be a target. SIMjacking, or SIM swapping, was famously used to take over Twitter co-founder and CEO Jack Dorsey’s own Twitter account in 2019. “It had been wiped clean of the 1,200 or so photos I had shared since creating the account in 2012,” Burns, a Los Angeles-based television producer, told Recode. All Burns could do was watch the hacker destroy that part of his online life. With access to Burns’s SIM card, the hacker simply asked Instagram to send Burns a password recovery text in order to take over Burns’s account and lock him out. In the 20 minutes it took Burns to get the SIM switched back to his phone, his Instagram account was gone. SIMjacking: Why your phone number isn’t good enough to verify your identityīy the time Mykal Burns got the security text from T-Mobile informing him that his SIM card had been changed to a different phone, it was already too late. Don’t let the name intimidate you: There are a few extra steps involved, but the effort is worth it. That’s why I recommend using an authenticator app, like Google Authenticator, instead. But it’s a technology that wasn’t meant to serve as an identify verifier, and it’s an increasingly insecure option as hackers continue to find ways to exploit it. Text-based 2FA, where a text with a six-digit code is sent to your phone to verify your identity, is better known and better understood because it uses technology most of us use all the time anyway. (Don’t be like me, who didn’t have 2FA on her bank account until a hacker wired $13,000 out of it.) But the type of 2FA you use is also increasingly important. And you always use two-factor authentication, or 2FA. (No, “Passw0rd!” is not good enough.) Each password should also be unique to each account (We love a good password manager!). One is a strong and long password with upper and lower case letters, numbers, and special characters. When people ask me for security tips, I give them the basics.