Latest in 2fa

Image credit:

Beware two-factor authentication using SMS forwarding

Share
Tweet
Share
Save

Sponsored Links


The Continuity features, and SMS Relay in particular, are my favorite part of Yosemite so far. Using my iMac as a giant speakerphone is beyond awesome, and group texts in Messages can finally include the one BlackBerry-toting holdout among my friends. (You're invited, too, Mike.) But in certain situations, SMS Relay can have unintended security consequences.

When logging in to Google on my MacBook Air the other day, I got a text message on my iPhone, like I always do, with a code to confirm my identity through two-step verification. Only this time it showed up on my MacBook as well thanks to SMS Relay's text message forwarding. It was actually convenient; I was able to mindlessly copy and paste the code into my browser, but it got me thinking: What happens if someone makes off with my computer and also gets hold of my password? Over at Macworld, Glenn Fleishman mulled over the same situation.

However unlikely that scenario (most password theft happens out in the electronic ether, away from personal devices), it's still a possibility. Fortunately, there are ways around this. The securest form of two-factor verification uses two devices, and you can ensure that by having Google or whoever is trying to confirm your identity do so by a phone call. That way there's no chance of the text falling into the wrong hands. (While someone could answer that call to your iPhone with your Yosemite Mac, the phone would have to be within Bluetooth range, in which case you likely are as well.)

Although this is a concern for Mac users because of Yosemite's new features, the problem is nothing new. Anyone using a Google Voice number for two-step verification who also has text-to-email turned on could be at risk as well. In fact, that would only require one stolen Google password and no devices, so you might want to rethink that setup as well, even if you're not an iPhone user.

The moral of the story is that if you're serious about two-factor verification, and you should be, consider how your second factor is being delivered and to what device. And yes, I realize this creates one more opportunity for BlackBerry Mike to bring up his phone's security features. At least he's getting invited to more parties now.

All products recommended by Engadget are selected by our editorial team, independent of our parent company. Some of our stories include affiliate links. If you buy something through one of these links, we may earn an affiliate commission.
Share
Tweet
Share
Save

Popular on Engadget

Engadget's Guide to Privacy

Engadget's Guide to Privacy

View
Tilta mods Blackmagic's Pocket Cinema Camera with a tilt screen and SSD

Tilta mods Blackmagic's Pocket Cinema Camera with a tilt screen and SSD

View
Three Mile Island's infamous nuclear plant shuts down after 45 years

Three Mile Island's infamous nuclear plant shuts down after 45 years

View
Samsung asks users to be extra careful with the Galaxy Fold

Samsung asks users to be extra careful with the Galaxy Fold

View
Uber sues NYC over vehicle caps

Uber sues NYC over vehicle caps

View

From around the web

Page 1Page 1ear iconeye iconFill 23text filevr