Getting a second opinion is a great idea in both medicine and end-user cybersecurity. Two-factor authentication (2FA) and multifactor authentication (MFA) are powerful tools in the fight against all kinds of cyberattacks that involve end-user devices and internet-based services.

There’s just one big problem: it’s far, far too common for people to use text messaging as the second factor. That turns phone numbers into digital identity devices — a role they are poorly designed to play. If someone loses a smartphone or has it stolen or taken from them, they also lose their access to authentication. Worse, the attacker can transfer the phone number to another person, who will now receive authentication requests. Here’s what to do about the 2FA and MFA phone problem.

How Two-Factor and Multifactor Authentication Work

Both of these precautions work by using more than one ‘authentication factor.’ That factor could be something the user knows, has or is part of what they are (like a fingerprint).

One of the most common combinations is a username and password (something the user knows), plus a message, link or code to the smartphone of the user (something the user has) via text messaging.

But there are others. Authentication factors can be a pin code, an item of personal trivia (mother’s maiden name, for example), a key fob, your face or many others.

Multifactor Authentication in Real Life

It plays out a million times a day. A user forgets a password, or chooses to change it. Or they visit a website from a different location than normal, or with a different device or on a site that checks users on a fixed schedule. So, the site sends a code, link or password to the user’s phone via text message.

The problem with this is that it assumes that only the original, honest user could possibly have access to the phone number paired with the text. And that’s a bad assumption.

In the past, people assumed that only the original signer could write their signature the way they do. That was a pretty good assumption. When we assume that only a real user could have the registered face or fingerprint, that’s a pretty good assumption, too. But possession of a phone number? Not so much.

It turns out that threat actors can figure out which phone numbers on wireless providers’ websites are ‘recycled’ numbers — once used but now abandoned. They can then match up with leaked login credentials for sale on the dark web. By gaining access to the phone numbers, they can hijack accounts by resetting the passwords (confirmed with their new phone numbers).

The Problem With Recycled Phone Numbers

Princeton University researchers sampled 259 phone numbers offered by two U.S. wireless carriers. They found that 171 of them matched up with current accounts at various websites and 100 matched up with leaked credentials on the web.

Interestingly, the researchers noticed that phone companies offer new numbers in blocks of consecutive numbers. But they display recycled numbers in non-consecutive blocks, revealing the fact that they have been used before. Attackers can automate the discovery of such numbers, according to the researchers.

The researchers also monitored 200 recycled numbers. Within one week they found roughly 10% of them receiving privacy or security related messages directed at the previous owners.

Princeton’s research points directly at the gaping hole in 2FA and MFA cybersecurity that relies on a phone number. But so does common sense.

In addition, a crowdsourced project called found that nearly one-third (30%) use 2FA via text message. (Around 40% support authentication apps.)

Beyond Text Messaging Codes

Text-based authentication doesn’t only fail when someone’s number changes. Cyber criminals can intercept texts using any number of specialized wireless systems. Attackers can trick, blackmail or bribe phone company employees into transferring phone numbers to a cyber criminal’s SIM card (called SIM swapping). Text-based codes are also available through phishing tools.

The bottom line is that phone numbers can be assigned to more than one person. Attackers (or accidents) can separate phones from their owners. They can intercept texts or otherwise break into messaging. And so for many reasons, 2FA or MFA that includes texting is far less secure than many other methods.

What About the Password Element of MFA?

Stated another way, of all the factors that could be used for multifactor authentication, by far the most common are 1) username/password; and 2) texts.

It’s bad enough that texting and smartphones are insecure methods, but usernames and passwords are, too. Far too many users use weak passwords that they reuse for multiple sites, and threat actors steal far too many of these and make them available on the dark web for other cyber criminals.

The one-two punch that will improve 2FA security and MFA is to mandate strong passwords and the use of password managers. Next, ban text-based authentication in favor of something more secure, such as authentication apps. With these, you’ll have a first line of defense in place.

More from Mobile Security

Juice jacking: Is it a real issue or media hype?

4 min read - You get off a flight and realize your phone is almost out of battery, which will make getting an Uber at your destination a bit challenging. Then you see it — a public charging station at the next gate like a pot of gold at the end of the rainbow. As you run rom-com style to the USB port, you may briefly wonder if it’s actually safe from a cybersecurity perspective to plug in your phone. The answer is technically…

Third-party app stores could be a red flag for iOS security

4 min read - Even Apple can’t escape change forever. The famously restrictive company will allow third-party app stores for iOS devices, along with allowing users to “sideload” software directly. Spurring the move is the European Union’s (EU) Digital Markets Act (DMA), which looks to ensure open markets by reducing the ability of digital “gatekeepers” to restrict content on devices. While this is good news for app creators and end-users, there is a potential red flag: security. Here’s what the compliance-driven change means for…

A view into Web(View) attacks in Android

9 min read - James Kilner contributed to the technical editing of this blog. Nethanella Messer, Segev Fogel, Or Ben Nun and Liran Tiebloom contributed to the blog. Although in the PC realm it is common to see financial malware used in web attacks to commit fraud, in Android-based financial malware this is a new trend. Traditionally, financial malware in Android uses overlay techniques to steal victims’ credentials. In 2022, IBM Security Trusteer researchers discovered a new trend in financial mobile malware that targets…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today