Is it OK to use text messages for 2-factor authentication? [Ask ZDNet]
Welcome to the first installment of a new weekly advice column, Ask ZDNet. It’s a time-honored editorial format, like Dear Abby but with a much better grasp of modern tech.
This week, we tackle three thorny questions: Are text messages too dangerous to use as a second factor for 2FA? Do you really need Windows 11 Pro edition? And why do smoke detector batteries always seem to die in the middle of the night?
If you’ve got a question about any of the topics ZDNet covers, one of our team of editors and contributors probably has an answer. If they don’t, we’ll find an outside expert who can steer you in the right direction.
Questions can cover just about any topic that’s remotely related to work and technology, including PCs and Macs, mobile devices, security and privacy, social media, home office gear, consumer electronics, business etiquette, financial advice … well, you get the idea.
Send your questions to [email protected]. Due to the volume of submissions, we can’t guarantee a personal reply, but we do promise to read every letter and respond right here to the ones that we think our readers will care about.
Is it OK to use text messages for 2-factor authentication?
I know I’m supposed to use 2-factor authentication for everything, but I keep reading that using text messages for 2FA is dangerous. Do I really need to worry about this? What are my alternatives?
First things first: Yes, setting up 2FA is a crucial security step for any important online account. When this form of authentication is enabled, you need to provide a second proof of your identity when signing in to an online service for the first time on a device. If your password is stolen in an online data breach or someone fools you into giving it up, the attacker can’t access your account because they don’t have access to a second authentication factor. (For a detailed explainer, see “Multi-factor authentication: How to enable 2FA to step up your security.”)
The most basic form of 2FA involves a text message, sent via SMS to a phone you previously registered with your account. After you type in your password, you receive a text message with a code that you enter as the final step of authenticating.
SMS-based 2FA is absolutely better than no 2FA. But it’s vulnerable to a variety of attacks, including SIM swapping, where the bad guy is able to intercept the SMS messages and take over the account. This type of attack takes a great deal of work and is most likely to target a high value account, like someone who works at the support desk for a big corporation. But even if you aren’t a target for a global hacking network, it’s smart to steer clear of SMS authentication whenever you can.
There are two great alternatives to SMS-based 2FA codes. First is a free authenticator app, which generates 2FA codes or receives approval prompts directly on your phone. (For details, see “Protect yourself: How to choose the right two-factor authenticator app.”) For maximum security, consider a physical hardware key that you connect using USB or NFC. Hardware keys cost more and aren’t as easy to use, but they’re ideal for high-value accounts that need extra protection. (See “YubiKey hands-on: Hardware-based 2FA is more secure, but watch out for these gotchas.”)
Where are all the PCs with Windows 11 Pro?
I’m ready to buy a new PC, but all of the computers I see for sale at my local retail outlets are running Windows 11 Home edition. Do I need to upgrade to Pro? How do I do that without spending a fortune?
As you’ve noticed, the PC industry is extremely price-sensitive. The reason you see so many PCs running Windows Home edition is because it costs the PC makers less than the Pro edition, which in turn allows them to cut the price tag on a PC model by about $100.
For most consumers, Home edition is good enough. Businesses that run on Windows enterprise networks need Pro edition, however, because it’s a requirement to join a PC to a Windows domain or Azure Active Directory account and then manage that PC with Group Policy and mobile device management software.
Pro edition does have a few added features you might be willing to pay for, especially if you’re planning to use your PC for business.
- It supports full BitLocker encryption without requiring the user to sign in to a Microsoft account. It also allows the use of Windows Information Protection features for secure document sharing.
- You get to use the full Hyper-V virtualization platform to create and run virtual machines.
- You can configure Pro edition to be a remote desktop server, allowing you to connect to it remotely from another Windows PC (even one running Home edition) or from a Mac or a mobile device.
- Instead of installing updates on Microsoft’s schedule, you can set up custom schedules for devices, deferring updates for up to 30 days while you wait for other people to experience any update-related bugs.
But that’s pretty much it.
If you prefer a PC that comes with Windows 11 Pro (or Windows 10 Pro, for that matter), your best bet is to look online, where you can find stores that specialize in PCs built for business. You can also go to online dealers like Dell, who will happily configure a PC to your specifications. Adding the upgrade to Windows Pro typically costs $50-80.
Or you can buy one of those PCs with Home edition installed and upgrade it yourself.
If you have a license key for a Pro or Business edition of Windows 7, Windows 8.1, or Windows 10, you can use it to upgrade. (Instructions here: “How to upgrade from Windows 10 Home to Pro for free.”)
You can also buy the Pro license online. The full retail price is $200 (ouch) at the Microsoft Store. You can find legitimate discounts of $50 or so from other online retailers, but be very suspicious of any discount that’s more generous than that. If you see someone offering a “lifetime license” for Windows 11 Pro for $49, there’s a good chance that the seller is not authorized to distribute that license, and there’s a chance (small, but not zero) that Microsoft could revoke your license key in the future.
How do I silence that chirping smoke alarm?
The smoke alarm mounted on my bedroom ceiling started chirping again last night, waking me out of a sound sleep. I’m tempted to just disconnect it completely. Any suggestions on how to set things up so I can get an uninterrupted night’s sleep once again?
According to the folks at Kidde, which manufactures smoke alarms, there’s actually a reason for those chirps in the night.
As a smoke alarm’s battery nears the end of its life, the amount of power it produces causes an internal resistance. A drop in room temperature increases this resistance, which may impact the battery’s ability to deliver the power necessary to operate the unit in an alarm situation. This battery characteristic can cause a smoke alarm to enter the low battery chirp mode when air temperatures drop. Most homes are the coolest between 2 a.m. and 6 a.m.
Now that we’ve settled, that, please don’t disconnect your smoke detector. It can literally save your life by giving you early warning of a fire so you have time to escape. Modern alarms can also detect another potential killer: the odorless but deadly carbon monoxide.
The simplest fix is to set a calendar reminder to change those batteries around the same time every year, using fresh, high-quality lithium batteries. Don’t use rechargeable batteries, and don’t use batteries that have been in storage for a while. For those of us in the Northern Hemisphere, Halloween is a good date, in my experience, as it leads into the winter when windows are likely to be closed most of the time and house fires (and carbon monoxide poisoning) are statistically more likely.
If you’d prefer to skip that annual chore, get batteries specifically intended for long-term use in smoke detectors and other critical devices. The Energizer Ultimate Lithium battery, for example, is designed to last 10 years, which is also how often most smoke detectors should be replaced. Just remember to set a calendar reminder for a decade from now to replace those batteries!
Send your questions to [email protected]. Due to the volume of submissions, we can’t guarantee a personal reply, but we do promise to read every letter and respond right here to the ones that we think our readers will care about. Be sure to include a working email address in case we have follow-up questions. We promise not to use it for any other purpose.