The Facebook crash leaves an important lesson: SMS does not serve as a two-step authentication system

533 million users have been “naked”. The latest scandalous leak of Facebook user data is the umpteenth demonstration of how a negligent company puts at risk not only our privacy, but our security and even our savings.

The leaked data now exposes millions of users to spoof attacks and other targeted cyberattacks. The danger is enormous, and this new Facebook crash is the latest warning on a sensitive topic: SMS is not a good two-step authentication method.

Be afraid. Very afraid.

Our dependence on the digital world is growing, and while the benefits of the mobile revolution are clear, they also leave unpleasant side effects.

Until recently, a one-time protection (username / password) seemed to suffice, but massive theft of passwords and bad practices by users (using and reusing ‘123456’ as a password is an atrocious idea) made two-step authentication (2FA) much more recommendable when it comes to protecting accounts in all types of services.

Two-step identification: all available methods and their advantages and disadvantages

It was no longer worth just entering username and password. Now you also needed to verify your identity with a passkey, usually a PIN that it came to you through an SMS message to your mobile.

The idea was fantastic … or so it seemed. Only we are (theoretically) in the power of our mobile, so that PIN It could only reach us, right?


In leaks such as those that have occurred with Facebook, the data is no longer just lists of emails and associated passwords. In those data full names come, cell phone numbers —You want to delete it—, but also the gender and location of those users. The threat posed by that data is absolutely enormous.

Facebook’s response to the theft has been staggering, because its philosophy is one of inaction. They have no plans to notify affected users, who can still find out if they are part of the leak thanks to the reputed HaveIBeenPwned service. A recent change in this service allows us not only to know if our email has been leaked, but also if our mobile number and the rest of the data associated with these parameters have done so.

What can “bad guys” do with the data leaked by Facebook?

It is because all that data gives cybercriminals a golden opportunity to carry out all kinds of targeted attacks, so much phishing (with emails that someone we know sends us, “hey, now I can trust myself”) like spoofing.


It is not difficult to imagine that these data could be used by a criminal to impersonate our identity and achieve for example a duplicate of our SIM card. The disturbing SIM swapping is the order of the day, and if we are victims of such an attack we will be in a real bind, because suddenly our mobile will stop working and the attacker will take advantage of it to be able to do all kinds of operations using that mobile.

All the types of scams that you find in Wallapop and other sites of sale between individuals

He will be the one who receives the PIN to make that bank transfer or complete that purchase on Amazon, not you, but it will be you who pays the duck (and the invoice).

The dangerous ramifications of data theft like this are unfathomable, and can also lead to other social engineering attacks that allow other people to collect even more data from us or convince us to send them our ID (do not even think about it), and again the consequences of these mistakes can be fatal.

Say goodbye SMS as a two-step authentication method

I’m a bit heavy on this. I said it five years ago and I repeated it the following year. Protecting your accounts with two-step authentication is a great idea, but doing it with SMS is not so much.


It’s true SMS is better than nothing. It really is. The problem is that this latest disaster that we have seen on Facebook highlights that those mobile numbers are no longer so secure (something we already knew for a long time), and that there are much better alternatives when implementing 2FA systems.

USB security key: what is it and how to make your own

Which? To begin with, specific mobile apps for this purpose. There are several popular ones – Google Authenticator, Microsoft Authenticator, Authy … – but they are joined by other even more secure methods such as physical authentication devices, which often come in the form of “USB keys”.

Cybersecurity experts and even organizations like Amnesty International recommend these ‘physical tokens’. The most famous they are probably Yubikey’sBut there are many other alternatives, including the Titan ones that Google developed long ago.

The solutions are there, but the industry is still anchored in SMS

We know what the problem is and we know there are solutions to (at least) alleviate it, so, What’s up? Why are these types of alternatives not successful in the market?


First, for the condemnation of comfort and convenience. SMS are already an old acquaintance that favors accessibility to these two-step authentication systems. This technology is part of our mobiles, the user does not have to do anything to take advantage of it and also, he knows and trusts it (although perhaps he should not do so much).

The biggest security scandals of 2020: governments, cybersecurity companies, the health sector and social networks were the protagonists

Using safer methods like those mentioned requires a change and effort, something that humans do not like very much. It doesn’t matter if the benefit is clear: we are resistant to change, and having to install a new mobile application and use it on our devices “with how good we were with SMS” becomes difficult.

But actually the real problem is with the industry, which is still absolutely anchored in SMS. Except in the case of certain specific services, there are numerous scenarios in which the support of apps like Google Authenticator (let alone Yubikey-type security keys) is anathema to companies.

The clearest and most delicate example are the banks: I wish you luck trying to find one that works with any of the alternatives mentioned, because (at least that I know of) there isn’t. They know that these types of systems exist, but from there to implement them half a world.

The greats of technology are the ones that little by little begin to integrate these systems into their services. The FIDO2 / WebAuthn Project of the FIDO Alliance and the U2F (Universal 2nd Factor) protocol that promote solutions such as those offered by Yubikey are gradually being supported by more and more services, and although many are interesting due to their potential role as intermediaries of a massive expansion of these technologies, the truth is that SMS rules our world at the moment.

Be careful out there.

Leave a Comment