Security experts caution against using SMS messages for two-factor authentication (2FA) due to their susceptibility to interception or compromise. A recent incident involved a security researcher uncovering an unprotected database online leaking millions of 2FA codes, accessible to anyone.
The exposed database, found by the researcher, was left unsecured without a password, making it easily accessible via a standard web browser. The database belonged to YX International, an Asian company offering SMS text message routing services, among others. YX International secured the database after being notified by TechCrunch.
The database contained sensitive information such as password reset links and 2FA codes for major companies like Google, WhatsApp, Facebook, and TikTok. Despite the exposure, the risk posed by the leaked 2FA codes was deemed minimal due to their short validity period and the unlikely scenario of exploitation.
Experts emphasize the importance of robust security measures for 2FA, recommending alternatives like passkeys, authenticator apps, and physical security keys for enhanced protection. While SMS 2FA is considered safer than passwords alone, it is advised to opt for more secure options to mitigate risks.
Passkeys, often seen as a secure 2FA alternative, provide an additional layer of security but are not immune to threats like session hijacking. Malware can exploit vulnerabilities in passkeys, compromising user data and granting unauthorized access to accounts.
Security measures are evolving to counter evolving criminal tactics, emphasizing the need for a multi-layered security approach. Limiting risks associated with compromised session cookies and opting for secure MFA options like app- or hardware-based tokens are recommended steps to enhance security.
