๐ The Brutal Truth
Jack Dorsey, Twitter's CEO, got SIM swapped in 2019. His phone number-based security meant nothing. If billionaires can't secure SMS, neither can you.
In 2024, T-Mobile admitted hackers accessed 37 million accounts. Verizon had 63,000 accounts SIM swapped. AT&T? They stopped counting.
๐ฑ Why SMS "Security" Is Theater
SIM Swapping
Takes one phone call to your carrier:
- "Hi, I lost my phone"
- Answer some public info
- Your number โ Their phone
- Your 2FA codes โ Their inbox
Time to execute: 5-10 minutes
Success rate: 80% against major carriers
SS7 Hijacking
The phone network from 1975 has no security:
- $1000 buys SS7 access
- Intercept texts globally
- No detection possible
- Works on any carrier
Demonstrated live on 60 Minutes in 2016. Nothing's changed.
Law Enforcement
StingRay devices capture all local SMS:
- $200K per device
- 500+ US police departments have them
- No warrant needed in many states
- Grabs everything in 2-mile radius
๐ฏ 2FA That Actually Works
The Security Hierarchy (Worst to Best)
- โ Nothing - You're asking to get hacked
- โ ๏ธ SMS - Better than nothing, barely
- โ ๏ธ Email codes - Only if email has real 2FA
- โ Authenticator apps - Actually secure
- โ Hardware keys - Unphishable
๐ Set Up Real 2FA (10 Minutes)
Option 1: Authenticator Apps (Free, Works Everywhere)
Best Apps:
- Aegis (Android): Open source, encrypted backups, no account needed
- Tofu (iOS): Open source, iCloud sync, clean interface
- 2FAS (Both): Open source, cloud backup, browser extension
Avoid These:
- Google Authenticator: No backup until 2023, tied to Google account
- Authy: Owned by Twilio, had 33 million phone numbers leaked July 2022
- Microsoft Authenticator: Pushes Microsoft account hard, privacy nightmare
Setup Process:
- Download Aegis (Android) or Tofu (iOS)
- Go to account security settings
- Choose "Authenticator App" not SMS
- Scan QR code with app
- Enter 6-digit code to confirm
- CRITICAL: Save backup codes somewhere safe
Option 2: Hardware Keys (Best Security, $25+)
Recommended Keys:
- YubiKey 5C NFC ($55): Works with everything, USB-C + NFC
- YubiKey Security Key ($25): Budget option, just the basics
- Nitrokey 3 ($55): Open source firmware, made in Germany
- OnlyKey ($56): Has physical buttons, stores passwords too
Setup Process:
- Buy TWO keys (one backup)
- Register both on each account
- Store backup key separately
- Test both keys work
- Remove SMS fallback where possible
Who Supports Hardware Keys:
- โ Google, Microsoft, Apple, GitHub, Twitter
- โ Cryptocurrency exchanges (Coinbase, Kraken, Binance)
- โ Password managers (Bitwarden, 1Password)
- โ ๏ธ Most banks don't (they profit from fraud)
๐ฃ Critical Accounts to Secure NOW
Priority Order (Do These First):
- โ Primary Email - Everything else depends on this
- โ Password Manager - Guards all other passwords
- โ Financial Accounts - Where your money lives
- โ Crypto Exchanges - Irreversible if hacked
- โ Domain Registrar - Can hijack your entire web presence
- โ Cloud Storage - Your files and photos
- โ GitHub/GitLab - Your code and reputation
- โ Social Media - Used for password resets
โ ๏ธ The Backup Code Problem
Store These Properly or Lose Everything
Every 2FA setup gives you backup codes. Lose them + your phone = locked out forever.
Good Storage:
- โ Password manager's secure notes
- โ Encrypted USB drive in safe
- โ Paper in safe deposit box
- โ Split between two secure locations
Terrible Storage:
- โ Screenshot on phone
- โ Email to yourself
- โ Cloud storage unencrypted
- โ Sticky note on monitor
๐ Advanced: Eliminate SMS Completely
Remove Phone Number When Possible
Some services let you remove phone numbers after setting up real 2FA:
- Set up authenticator app or hardware key
- Verify it works
- Go to security settings
- Remove phone number
- Test login still works
Works on: Discord, Reddit, some crypto exchanges
Doesn't work on: Google, Apple, most banks
Use VOIP Numbers for Forced SMS
When services demand phone numbers:
- Get Google Voice or Skype number
- Use for non-critical accounts only
- Never for banking or primary email
- Harder to SIM swap (not impossible)
๐จ When 2FA Goes Wrong
Phishing That Beats 2FA
Real-time phishing proxies exist:
- You enter code on fake site
- Attacker enters on real site
- They're in before code expires
Defense: Hardware keys only. Can't be proxied.
Account Recovery Bypass
Support teams are the weak link:
- "I lost my phone and backup codes"
- Social engineering support
- 2FA gets disabled
Defense: Use services with no human support (seriously).
๐ 2FA By The Numbers
Microsoft's Data (2024)
- 99.9% of compromised accounts didn't use 2FA
- SMS 2FA blocks 76% of targeted attacks
- App-based 2FA blocks 97%
- Hardware keys block 100%
Google's Advanced Protection
- 0 successful phishing attacks since 2017
- Requires hardware keys
- Used by journalists, activists, politicians
- Free to enable
โ Your Setup Checklist
Today (15 minutes):
- โ Download Aegis/Tofu/2FAS authenticator
- โ Enable on primary email
- โ Enable on password manager
- โ Save backup codes securely
- โ Test login with 2FA
This Week:
- โ Add 2FA to all financial accounts
- โ Add 2FA to all crypto accounts
- โ Add 2FA to social media
- โ Order hardware key (if budget allows)
- โ Document backup codes location
This Month:
- โ Remove SMS where possible
- โ Set up backup hardware key
- โ Test account recovery process
- โ Enable Google Advanced Protection (if using Google)
- โ Audit and remove unused 2FA entries
๐ฏ The One Rule
Any 2FA is better than no 2FA. But SMS 2FA is one phone call away from worthless.
Start with authenticator apps. Graduate to hardware keys. Never trust SMS.
๐ Related Articles
- 2FA App Comparison - Aegis vs Ente Auth vs Authy: which authenticator is best?
- Open Source Security Keys - Nitrokey, SoloKeys, OnlyKey with auditable firmware
- Hardware Security Keys Comparison - YubiKey, Nitrokey, OnlyKey compared
- Password Manager Comparison - Protect what 2FA unlocks
- Password Security 101 - Strong foundations first