You need to start using security keys for your multi-factor (2FA) implementation. Sure, I would be willing to concede that if you really cannot use security keys, then SMS based 2FA would still be better than nothing. But honestly, it’s not all that great.
Not all mechanisms for multi-factor are the same. SMS (getting a code texted to your phone) is probably the most ubiquitous form of multi-factor. But it’s not actually as secure as most people seem to think it is. There are a few ways it can be defeated. The simplest of which is through ‘real-time’ phishing.
Real-Time Phishing
This attack is just like phishing, with an added twist. In a classic phishing attack, a hacker might try to get you to type your password into a fake site that looks just like a site you expect to visit. Then they could keep whatever you typed into that fake site, and potentially use it later.
With real-time phishing, the attacker will simply need to steal your password, and your 2FA code (the one sent to your phone). Then rather than saving it for later, they will quickly type it into the real site. This is because the 2FA code expires shortly after it is granted to you!
It’s really that simple…
Security Keys are Better
SMS based 2FA is vulnerable to this simple attack style. So if you choose to use it, just keep in mind that any competent adversary can still bypass your security. You should use security keys instead. With a security key, there’s no code to type in, no code that can be stolen by a hacker. Rather, the site you visit communicates with your key to get it to verify your identity. The attacker’s fake site can’t get the key to tell it anything that would allow the key to pretend to be you on any other site, and so your account remains secure – unless the attacker physically steals your key (which is very unlikely).