This is a follow-up on my previous post on people using social engineering to hijack someone's cell phone number to get their 2FA SMS messages. Original post is here
I could have named this post:
Most sites do 2FA wrong;
2FA via SMS isn't true 2FA;
A better 2FA
Anyway, yes I started out doing 2FA via SMS messages because that is what most websites prompt you to do, register your phone number to get a code via SMS to use as 2FA. I thought it was a great idea, until I read how easy it is for anyone to call your cell phone provider and "steal" your phone number and associate it with another physical phone. So they don't even need the phone that "you have", they just need your phone number. Not good! (I'm not even going to get into intercepting your SMS messages on the network).
But there is hope. Using an authenticator application on your phone, someone would truly need to steal your physical device for any chance at intercepting your 2FA method. Even if they do steal your phone number, they don't have the app on your phone. This seems much more secure.
Even before switching to an authenticator app I was getting annoyed by SMS 2FA. Most annoying would be sitting at a login screen for a minute or two just waiting for an SMS message to arrive. And sometimes the SMS wouldn't even arrive and I'd have to click "I didn't get the SMS" and try again. Such a waste of time. Authenticator apps are much quicker, the number is generated instantly.
If you have looked into these apps you have probably read about Google Authenticator and Microsoft Authenticator. I've used the Google one and it was fine, but I have since gone Google free on my Android, but there is another option that I have found is excellent called Duo Authenticator. It does present a warning about Google services not being installed but it works just fine. (If I remember correctly I used the Yalp Store app to download Duo from the Google Play Store without a google account). There are also some open source authenticator apps on FDroid but I haven't tried those.
The only thing that concerns me now is what happens if I upgrade my phone or lose it and need to replace it? If anyone knows please comment, I'll have to read up on that. Do I need to log into each website using my old 2FA app, then update the 2FA settings to my new phone?
How do you use 2FA?