Text Message, Authentication or Passkey?

Popular MFA icons

Text Message, Authentication or Passkey? a reader asks…

I’m looking at improving my online security by implementing multi-factor authentication (MFA). I’m trying to figure out which is best, getting a text message, using an authentication app, or using a passkey? Any advice?

My first bit of advice is this, you’re right in terms of listing the options from worst to best security when it comes to multi-factor authentication. The standard username and password combo by itself isn’t enough to prevent your account from getting hacked, even if you use a strong and unique password. Multi-factor authentication (MFA) should be implemented on every online account that you can. Which option you choose depends primarily on the online entity you’re dealing with – some still only offer simple SMS (short message system aka text message), many now offer MFA via an authentication app or a physical key (USB), and more and more are now offering the passkey option. More on this later.

My second bit of advice is to implement the strongest MFA offered by each entity you deal with online. For any that still only offer the SMS method, you should use their contact email or web form to request that they implement a stronger method. These stronger methods cost the online entity money, which may be why they’re reluctant to increase their users’ security. So be the squeaky wheel and ask them for better security for your account. And of course, if an online entity doesn’t offer any sort of MFA, do the same as loudly and often as you can.

One note about my ranking. I put the physical (USB) passkey as one of the best, although there are drawbacks to using that. For example, you may not be able to use it on any device without the right adapter, and some device’s security won’t allow you to use it. So I’d suggest you stick with the biometric/virtual passkey, usually built into your smartphone.

My third bit of advice is to make sure that you’ve got good and continuingly-current backups of your smartphone (which will likely be your primary authenticator, passkey or biometric security device). And keep that device up-to-date with security updates to the operating system (generally, Google’s Android or Apple’s iOS) and any firmware updates from the device manufacturer.

For iPhones, install iOS updates when they’re released, be sure your App Store settings have automatic updates turn on, and even then open the App Store applet weekly: tap on your picture at the top, swipe down to get the latest available updates, then scroll down and click “Install all” on the list of available updates for your apps. If you see a red icon overlaid on top of either your Settings or App Store icons, you need to open them and find out what’s needed.

For Android smartphones, Open Settings > Select System > Tap Software update > If an update is available, you’ll see an Update button > Tap Update. For installed apps, open the Google Play Store app > tp your profile icon > tap Manage apps & device > tap Update all. For both, you may need to restart the smartphone after a major update is completed.

Back to that first bit of advice: Why is using MFA important to everyone? Given the level of security breaches being constantly in the news, it is very likely that your credentials are compromised. Your credentials are your username (often your email address) and password to every online entity where you have to log in to an account. This includes email accounts, online banking, shopping, and many other sites you access.

Advertisement

Why is SMS not good enough anymore? As recent news shows, standard SMS text messaging is transmitted in the clear, and can be intercepted by hackers and scammers. I’m not talking about secure communications, such as Apple’s iMessage, or secure messaging apps like Signal, WhatsApp, Facebook Messenger, etc. Those are still secure (my favorite is Signal).

iphone-imessage-versus-sms-screenshot

This still presents a problem in that Google Messages (on the Android platform) are encrypted when communicating with other Android smartphones (but not iPhones), and Apple’s iMessage (on the iPhone/iOS platform) are encrypted when communicating with other iPhones (but not Android smartphones), Both Apple and Google are working towards a common encryption standard (e.g., RCS), but they’re not quite there yet, and your messages aren’t encrypted when you cross between those platforms.

apple-iphone-2-factor-authentication-screenshot

Back to my second bit of advice on the best MFA method – Passkeys. Apple smartphone users are used to occasionally seeing a popup on their iPhone that both requests their approval for access to their Apple services from another device, and provides a six-digit code that must be typed in on that other device to gain access. Microsoft and Google and Meta (Meta owns Facebook btw) account owners can add this passkey functionality to their iPhone or Android smartphones, so that anytime anyone/anywhere tries to access your account, you get a popup on your smartphone to authorize that access (even if it is you).

For Microsoft, they have you install the Microsoft Authenticator on your smartphone. For Google, they have you install the Google Authenticator on your smartphone. For Facebook, they have you install Facebook on your smartphone (at least the authenticator is built into Facebook, but buried in the app settings). You may also have other authentication apps on your smartphone, because each online entity who implements passkeys can choose to either restrict that functionality to their own apps, or use whatever’s already built into your smartphone.

I wish it was easier and that all online entities were required to let you use the authentication service you want (generally the one that comes with your smartphone, Android’s Google Authenticator or Apple’s authenticator), but we all prize competition, so they…compete. That makes this whole business much more complicated than we need. Sometimes you can get away with using a 3rd party authenticator, but for simplicity’s sake I’d suggest you use as few apps as you can get away with.

If you use Google services, you need the Google Authenticator (but also, move to Google’s passkey solution for your Google accounts). If you don’t use any google services, you don’t need it. If you use Microsoft services, you need the Microsoft Authenticator. You should be able to get away with just these two, unless you have special needs (such as Synology requiring its own authenticator app). iPhone/iPad and Android smartphone users will also have the passkey functionality built into their device from their respective company.

As you start setting this up with your online accounts, be sure to check each one’s security page. There’s usually a way you can see all the various devices, apps and locations where you’re logged in. Prune that list to make sure the online entity doesn’t allow access unless you’re 100% sure it’s you. While you’re there, setup MFA to the strongest level they offer, and be sure to download the set of backup codes they’ll provide you (as part of the setup). Save those codes in a safe place, you’ll likely never need them but it’s well worth having them in case your smartphone goes missing or stolen.

This website runs on a patronage model. If you find my answers of value, please consider supporting me by sending any dollar amount via:

Click or tap to open a new browser tab or your Venmo app and send money via Venmo to @positek
(@PosiTek)

Click or tap to open a new browser tab or your Paypal app to send money via your Paypal account to support@positek.net
(Support@PosiTek.net)

Click or tap to open a new browser tab or your Paypal app to send money using your credit card to support@positek.net (no Paypal account required)
(using any credit card)

or by mailing a check/cash to PosiTek.net LLC 1934 Old Gallows Road, Suite 350, Tysons Corner VA 22182. I am not a non-profit, but your support helps me to continue delivering advice and consumer technology support to the public. Thanks!

Leave a Comment

Your email address will not be published. Required fields are marked *

For security, use of Google's reCAPTCHA service is required which is subject to the Google Privacy Policy and Terms of Use.

This site uses Akismet to reduce spam. Learn how your comment data is processed.