Hopefully by now you’ve heeded the repeated warnings from your friends and loved ones (and friendly, beloved internet writers) to use two-factor authentication to secure your digital accounts[1]. That’s where access to Facebook[2] or Twitter[3] or your online bank—anything that supports it, really—requires not just a password but also a special code. Not all two-factor is created equal, however. For better protection, you’re going to want an authenticator app.
Yes, the easiest way to implement two-factor is with SMS, receiving a text with an access code every time you try to log into a secured account. While certainly better than nothing, getting your 2FA from SMS has plenty of potential downside[4]. Specifically, it leaves you exposed if someone hijacks your smartphone’s SIM, a longtime problem[5] that has only gotten worse of late. By stealing your phone number, hackers can redirect any two-factor notifications to their own devices, allowing them much easier entry to your accounts.
“Unfortunately, it isn’t that hard for thieves to impersonate you to your mobile phone carrier and hijack your mobile phone number—either with a phone call to customer support or walking into a phone store,” says Lorrie Cranor, a computer scientist at Carnegie Mellon University and former FTC technologist who had her own SIM stolen[6] in 2016. Authenticator apps are not vulnerable to this problem, and thus are a more secure way to do two-factor verification.
Instagram, in particular, has seen a surge[7] of troubling SIM attacks, largely because it only supports text-based two-factor for now. The company confirmed that it’s working on the obvious solution: Letting you use an authenticator app instead.
“Authenticator apps are not vulnerable to this problem” of SIM hijacking,