Latest in 2fa

Image credit:

Beware two-factor authentication using SMS forwarding

David Gluckman, @DGee
October 31, 2014
Share
Tweet
Share

Sponsored Links


The Continuity features, and SMS Relay in particular, are my favorite part of Yosemite so far. Using my iMac as a giant speakerphone is beyond awesome, and group texts in Messages can finally include the one BlackBerry-toting holdout among my friends. (You're invited, too, Mike.) But in certain situations, SMS Relay can have unintended security consequences.

When logging in to Google on my MacBook Air the other day, I got a text message on my iPhone, like I always do, with a code to confirm my identity through two-step verification. Only this time it showed up on my MacBook as well thanks to SMS Relay's text message forwarding. It was actually convenient; I was able to mindlessly copy and paste the code into my browser, but it got me thinking: What happens if someone makes off with my computer and also gets hold of my password? Over at Macworld, Glenn Fleishman mulled over the same situation.

However unlikely that scenario (most password theft happens out in the electronic ether, away from personal devices), it's still a possibility. Fortunately, there are ways around this. The securest form of two-factor verification uses two devices, and you can ensure that by having Google or whoever is trying to confirm your identity do so by a phone call. That way there's no chance of the text falling into the wrong hands. (While someone could answer that call to your iPhone with your Yosemite Mac, the phone would have to be within Bluetooth range, in which case you likely are as well.)

Although this is a concern for Mac users because of Yosemite's new features, the problem is nothing new. Anyone using a Google Voice number for two-step verification who also has text-to-email turned on could be at risk as well. In fact, that would only require one stolen Google password and no devices, so you might want to rethink that setup as well, even if you're not an iPhone user.

The moral of the story is that if you're serious about two-factor verification, and you should be, consider how your second factor is being delivered and to what device. And yes, I realize this creates one more opportunity for BlackBerry Mike to bring up his phone's security features. At least he's getting invited to more parties now.

All products recommended by Engadget are selected by our editorial team, independent of our parent company. Some of our stories include affiliate links. If you buy something through one of these links, we may earn an affiliate commission.
Share
Tweet
Share

Popular on Engadget

Live PlayStation 5 photos reveal a truly giant console

Live PlayStation 5 photos reveal a truly giant console

View
Microsoft releases a final preview for Windows 10's October update

Microsoft releases a final preview for Windows 10's October update

View
NASA unveils 'the most powerful rocket ever built'

NASA unveils 'the most powerful rocket ever built'

View
Sony apologizes for botched PlayStation 5 pre-orders

Sony apologizes for botched PlayStation 5 pre-orders

View
Drone network provides early warnings for natural disasters

Drone network provides early warnings for natural disasters

View

From around the web

Page 1Page 1ear iconeye iconFill 23text filevr