Quote:In the past couple of years, the concept of two-factor authentication (2FA), long the preserve of geeks, has found its way into the mainstream. However, the talk is still largely confined to using 2FA for one-time passwords over SMS. Sad to say, this is not the most reliable option. Here’s why:

• It’s easy to sneak a peek at passwords sent by SMS if lock-screen notifications are enabled.
  
• Even if notifications are turned off, a SIM card can be removed and installed in another smartphone, giving access to SMS messages with passwords.
  
• Password-bearing SMS messages can be intercepted by a Trojan lurking inside the smartphone.
  
• Using various underhanded tactics (persuasion, bribery, etc.), criminals can get hold of a new SIM card with the victim’s number from a mobile phone store. SMS messages will then go to this card, and the victim’s phone will be disconnected from the network.
  
• SMS messages with passwords can be intercepted through a basic flaw in the SS7 protocol used to transmit the messages.