PSA: Don’t Use Your Mobile Number For 2FA Or Password Reset [en]

[fr] N'utilisez pas le code par SMS comme solution pour la double authentification, utilisez une application genre "Google Authenticator" sur votre téléphone à la place. Pourquoi? A cause du SIM-swapping.

People nowadays rely heavily on their online presence: in today’s world, your e-mail, facebook, tiktok or instagram account has become part of your identity. So, you’ll want good passwords for your accounts, and an extra layer of security provided by two-factor authentication (2FA). But don’t use SMS for that!

You definitely want to use two-factor authentication (2FA) on at least all your important online accounts (e-mail, facebook, website, etc). This means in addition to using a strong password (do use a password manager) you also have to indicate you are in physical possession of your phone (usually) or some other device (newer: security keys).

SMS is the basic (but outdated) way of doing 2FA. You get a code through SMS when you try to sign in from another device.

However, as this episode of the Perfect Scam podcast on the multi-million SIM swapping business demonstrates, there is no way to safeguard oneself against SIM-swapping (though I do suspect it is less likely to happen in Switzerland than in the USA).

Do listen to this podcast, and to other episodes of “A Perfect Scam“. It’s really a great way to become familiar with the kinds of bad actors a normal person can encounter today, and how they operate.

A couple of extra tips:

  • your e-mail allows to reset all your social media accounts, so it should be extra secure
  • in addition to making sure you don’t use SMS for 2FA, make sure it is not possible to reset your account password by receiving a code or link by SMS
  • use an authenticator app on your phone like Google Authenticator
  • make sure to print out the backup codes which will allow you to access your account if ever you’re locked out, and store them in a safe place.

Stay informed and stay safe!