We will text you a code...

The worst thing you can do is to secure your user logins with passwords. The second-worst thing you can do is to secure your user logins with text message MFA,... but SMS logins are volumes better than passwords alone.

There have been volumes written on how bad it is that most systems rely on passwords, and I won't go into that in depth other than to summarize:

• Passwords get stolen all the time, sometimes even when the user has made adequate efforts to protect them.
• Often "easy to remember" has also become "easy to guess," making the password ineffective at protecting the login.
• A lot of people reuse passwords on multiple sites, unaware that a breach on any one of those could expose their password for all of those websites.
• Some systems require changing the password every 60 or 90 days, and since the user often waits until they can't wait any longer, the new password is rushed, and not as secure as the original.
• The old guidance that a complex password has "one uppercase letter, one lowercase letter, one number, and one symbol" actually makes it easier to brute-force guess a password. Even though NIST has updated their password complexity guidelines long ago, few systems have been updated with the new guidance.
• Some share their passwords with others over unencrypted plaintext, and which get backed up to a remote server in the same unencrypted format.

Passwords continue to be popular because they're familiar, they're ubiquitous, and every browser and password vault these days knows exactly how to handle them.

Multi-Factor Authentication

Multi-factor authentication (MFA) means the user's identity is verified at least two different ways. Usually one authentication method is the password (which, again, is because everyone knows what to do with them), the second factor can be a lot of different things, including a hardware device, a passkey (a secret code that is never transmitted but used to generate evidence of knowing the secret), a security question, or a text message code.

Many websites have now implemented MFA, which is much better, in any form, than a password alone. But when it comes to text message one time passwords (OTPs), I love 'em, I hate 'em, and I have better ideas for them.

Reasons to love text message codes

Text message codes are sent directly to the user at a mobile phone number they have and may continue to have for the rest of their lives. Phone numbers outlive phones, so even if you upgrade your phone in a couple of years, that one website you only access every couple of years will still be able to verify your identity.

They're also easy. Usually the code is numeric, so there's no confusion about similar looking characters, e.g. whether the one time code is a 0 or an O, an l (lowercase 'L'), I (uppercase 'I') or a | (pipe symbol), ',' or a '.'.

They're short-lived. Usually the code is only valid for a few minutes, so an attacker would have to be at the right place at the right time to intercept and use that code. An hour from now, it won't be valid anymore.

Reasons to hate text message codes

I'm sure you've seen apps that can read those codes. Usually they're intended to be helpful, grabbing that OTP from the text message and filling it in for you. Even WhatsApp setup helpfully reads those codes. Some phones even offer an option that will let you tap to copy the code right from a notification so you can paste it.

So it's not that far of a stretch that a malicious app could do the same thing, read the code and send it off to someone else so they can login as you.

The text messages can even be intercepted before they arrive at the phone, which is why Google has advised Android users to disable the old unencrypted 2G mode.

A better solution

There are many MFA solutions that are based on an app in which no code is sent over the airways at all. Based on the device's clock and a secret code, it knows what the OTP should be right now, and once a minute it changes. Since these devices are designed to never ever share their secrets, those secrets do not transfer to another device, that makes these solutions superior to any transmitted OTP. But also, it means that secret will not be available on the user's next smartphone.

A better solution is that instead of transmitting a numeric code, the website transmits a one time use link. The link can then verify the user with some other factor, looking for a familiar device ID, or verifying the user's identity using other means. This has all the advantages of a text message OTP while significantly reducing the risk that the intercepted link would provide access.

Disclaimer

As with any advice on providing better protection, someone determined enough will find a way in. The least most of us should be trying for is what I call a "bike lock mentality."

Bike Lock Mentality

Imagine you're at a bicycle-friendly university like CU Boulder or UC Davis, and outside a big building is a parking lot packed with bicycles. If you're looking to steal a bicycle (either for convenient transportation or to sell the bike for cash), there will be a mix of security situations. Some bikes will have strong locks on them, and while you could technically invest in "bolt cutter" equipment to cut off that lock, there are plenty of other bicycles that have no protection on them at all, or are poorly secured, such as locking a removable wheel to the frame.

The goal as the owner of the bicycle should be to make your bicycle less attractive so they'll move on to someone else.

The same mentality should be applied to your data. You don't need bank vault level security, just make it difficult enough for someone to get your data that an opportunistic attacker will move on to an easier target.