Why Two-Factor Authentication Isn’t Always Totally Secure

Why Two-Factor Authentication Isn’t Always Totally Secure

In 15 minutes, you can lose your phone service, identity and money. All it takes is insecure two-factor authentication and human error.

Two-factor authentication is an additional method of security that’s used to supplement your login credentials on websites that have it enabled. It requires you to confirm you’re logging in with a physical device only you would have, for example, such as a mobile device and through SMS or an app.

Most people seem to agree that it’s incredibly secure and no one really challenges that.

There are instances where it’s not the bullet-proof security strategy we all thought and it’s in cases of SMS-enabled two-factor authentication.

Today, I’ll share more detail on two-factor authentication, it’s potential security risks with SMS and how you can protect yourself from being hacked.

What is Two-Factor Authentication?

Typically, when you log into a website, you’re only required to enter your username and password to successfully gain access. While this is generally secure if you’re using strong login credentials, there are potential risks.

For example, if your login credentials are compromised due to an attack such as phishing or other successful hacking attempts, your password could be learned by a hacker and they could gain access to your website.

If you don’t use a strong password, a hacker could guess your password to gain entry. This is known as a brute force attack.

For details, check out A Complete Guide to WordPress Password Security and The Ultimate Guide to WordPress Spam.

Two-factor authentication is an extra level of security known as multi-factor authentication. It adds an extra step to the login process. Instead of only having to enter your username and password to log into a website, with two-factor authentication enabled, you also need to confirm your identity in one additional step.

There are multiple ways to confirm your identity with two-factor authentication:

  • An app on your mobile device
  • SMS using your cell phone
  • A security token (long string of randomized letters and numbers) that you physically copy down in advance
  • An encrypted USB drive
  • Key fob
  • A physical card that’s read by a card reader

Naturally, online two-factor authentication consists of using an app, SMS, security token or USB drive.

If you installed and activated Defender on your WordPress site and you need the Google Authenticator app on your iPhone or Android device to successfully log in, then you have encountered two-factor authentication.

For details, check out What is 2FA? and Defender: Now with Two-Factor Authentication

Why You May Need It

Two-factor authentication adds an extra layer of security to your WordPress site, when enabled.

With about 30,000 websites being hacked everyday and over 90,978 of WordPress sites of all sizes are being attacked every minute, it makes sense to add an extra layer of security.

Illustration of a key lock.
It’s important to enable two-factor authentication, but also understand the potential risks.

When Two-Factor Authentication Isn’t Secure

In most cases, two-factor authentication for WordPress sites is secure and it’s recommended you use this option for your account as well as other users’ accounts.

That being said, it is possible for multi-factor authentication with SMS to not always be secure. Although, it has more to do with human error, but not on your part. That’s where things get a little hairy.

One person by the name of Justin Williams took to Twitter, shocked, to inform the public about an event where two-factor authentication via SMS failed:

Later, a blog post was published detailing the full event.


  1. They noticed that their cell phone had no service.
  2. They received a legitimate password reset email from Google.
  3. Then, they received a legitimate email from PayPal notifying about a withdrawal from their bank
  4. A call was made to their cell phone provider and they verified their name, address and security key.
  5. The cell phone provider noted that several phone attempts were made to receive a new SIM card, but the person was turned away for not providing the security key.
  6. Unfortunately, on one of those phone attempts, the agent didn’t ask for a security key and the hacker was able to have a new SIM card issued.
  7. Since PayPal only requires an email address and SMS to reset your password, the hacker was able to get into their PayPal account once they got a hold of the new SIM card.

In the end, the hacker took several hours trying to find a customer service agent that didn’t follow protocol and ask for a security key.

But here’s the kicker: once the hacker got through to an agent that broke protocol, it only took about 15 minutes to compromise the cell phone and steal money from the victim’s bank account.

Bottom line: the hacker was successful because SMS two-factor authentication wasn’t enough when the cell phone provider didn’t follow basic security protocols.

The Potential Security Risks

So does that mean all two-factor authentication or at least the SMS kind isn’t secure?

Not at all. What it means is that there’s potential for SMS and other multi-factor authentication to be rendered ineffective when human error is a factor.

There are many ways that two-factor authentication can be inadequate:

    • As mentioned above, your cell phone provider breaks security measures
    • A strong security code isn’t given to your cell phone provider
    • You don’t choose strong passwords
    • Your passwords are stored insecurely
    • Your phone or other mobile devices are stolen
    • You don’t keep your phone or other mobile devices securely locked
    • Your computer or laptop is stolen
    • You fall prey to phishing attacks by email or by phone
    • You publish a tweet announcing you have cryptocurrencies that attracts a lot of attention

Unfortunately, there are a lot of ways that human error can become all too real so it’s important to take as many steps as possible to ensure security.

How to Stay Safe

Fortunately, there are several ways you can protect yourself and secure your WordPress website, your identity and keep two-factor authentication effective:

        • Give your cell phone provider a security key and if you personally call in and they don’t ask for it, mention it.
        • Use and enforce strong passwords on your WordPress website.
        • Use different strong passwords for each of your WordPress (and other) websites.
        • Install and set up Defender.
        • Enable two-factor authentication for all or as many users of your site as possible.
        • Don’t use and disable SMS two-factor authentication.
        • Use a secure lock on your mobile devices and your computer.
        • Don’t save all your passwords in your browser, or
        • Use a secure password storage service.
        • Store physical security tokens in multiple safe locations.
        • Keep a watchful eye for legitimate notifications of password resets or PayPal transfers through email or SMS.
        • Be aware of phishing scams and how you can detect and avoid being a victim of them.
        • Don’t post personal or identifiable information publicly online no matter how innocent it seems including that you have funds available in PayPal or elsewhere, when you’re going on vacation, your phone number, email address and other similar details.
        • Keep your computer and mobile devices in a secure location and keep a watchful eye on them when you’re out in public. Also be sure that no one looks over your shoulders as you’re on any of your devices.

It may be important to note that if you use a browser that saves all your passwords for you and your computer gets stolen, all your passwords could be compromised that way. So consider removing all your currently saved passwords, turning on two-factor authentication for every website that provides it or use a secure password storage service.

It can also be helpful to have a scheduled backup service for your WordPress site and computer so you don’t lose all your files if your website is hacked or your computer is stolen. Encrypting your files also proves to be beneficial in these cases.

While many of these steps may seem obvious, it can be easy for even the more secure-conscious people to forget or have a false sense of security at times. You also shouldn’t underestimate hackers since there’s financial gain at stake for them.

For more details, check out The Ultimate Guide to WordPress Security and The Ultimate Guide to WordPress Spam.

Wrapping Up

It can be far too easy to assume you have all your security measures wrapped up in a neat little bow, but sometimes it can only take 15 minutes to prove how wrong you are with unfortunate consequences.

While two-factor authentication is generally secure, you shouldn’t always assume it’s the perfect form of security because human error can render it utterly ineffective.

Whether you’re losing $200 from your PayPal account or losing $8,000 in bitcoin, the consequences of becoming complacent are dire.

That’s why it’s important to stay on top of your security measures and the steps outlined above should get you off to an excellent start.

Do you currently use two-factor authentication for your WordPress website? What are your reasons for using or not using it? How do you secure your WordPress site? Feel free to share your experience in the comments below.

Jenni McKinnon

Jenni McKinnon Jenni has spent over 15 years developing websites and almost as long for WordPress as a copywriter, copy editor, web developer, and course instructor. A self-described WordPress nerd, she enjoys watching The Simpsons and names her test sites after references from the show.