Passwords are simply not enough in today’s world. Most companies now offer a second form of verification beyond the password to authenticate your login, commonly referred to as Two-Step, Two-Factor, or 2-FA in short. 2-FA is a solution, but the type of 2-FA you choose can greatly impact your security. Generally there are at least two forms of 2-FA offered; Passcodes and Text Message codes.
Text messages are not considered secure and can be easily retrieved from the phone company by someone impersonating you and tricking the phone company in to porting your SIM to a different device. In addition, most phone providers now provide you the ability to text from their website. A hacker could simply gain access into your account on your phone company’s website and have all of your text messages available to them. Lastly, text message codes are static and valid for a very long time. This means that if a hacker has your password, they could request a 2-FA code via text message, and have as long as they needed to find a way to get the code using the aforementioned avenues.
Google and most other services are very secretive when it comes to disclosing how long a static text message based code is valid for, and rightfully so, because knowing how long a code is valid for will greatly increase the hacker’s odds of success.
When setting up 2-FA, always choose the option to log in with passcodes from security apps, like Google Authenticator, instead of simpler text message-based codes. Passcodes are time based codes that change every 30 seconds, and can only be retrieved on a single device. Secondly, passcodes work without a data connection, and there is no data that could be intercepted by a hacker. These unique characteristics of passcodes thwart the carrier attack vector.
With all that being said, any form of 2-FA is better than none at all, but passcodes are the strongest tool we have to fight unauthorized account access.