Forbes contributors publish independent expert analyses and insights.
Google warns hackers are actively targeting your accounts, looking to steal your security credentials and gain access. Attackers are "intensifying their phishing and credential theft methods," while infostealer attacks have surged 84% in the last year. That's why all users are warned to change their account security, to keep out these hackers.
You'll have seen the warnings to enable two-factor authentication (2FA) at a minimum or better still to add a passkey to all accounts. But that's not enough. Too many accounts still have SMS-based 2FA, even if passkeys are enabled as well. Beware -- if your account can be unlocked by a password and an SMS, that account is at risk. Period.
1Password warns that "the longstanding advice to phase out SMS-based MFA has finally become unignorable." SIM-swapping attacks, malicious texts tricking users into sharing codes, and man-in-the-middle attacks that intercept texts in transit are surging.
Google agrees, warning that while "any form of 2-Step Verification adds account security, verification codes sent by texts or calls can be vulnerable to phone number-based hacks." It warns users must "never share your verification codes with anyone," and that "you won't receive a call from Google to verify a code." But it's not enough.
The NSA warns that SMS 2FA "is not recommended" because it is "fairly simple to redirect SMS messaging and defeat the 'what you have' factor." That means the physical device on which you receive an SMS, while the "what you know" factor is a password. But if the 2FA code can be taken, you don't need to "have" the device after all.
America's cyber defense agency warns users "do not use SMS as a second factor for authentication. SMS messages are not encrypted -- a threat actor with access to a telecommunication provider's network who intercepts these messages can read them."
All these warnings have been interpreted as a reason to add passkeys or to use smartphone authenticator apps. But what has been largely missed is the need to remove SMS as a means of 2FA. That doesn't mean deleting your recovery phone number. But if you have a passkey and an authenticator app, you don't need SMS 2FA as well.
If you log into your Google Account and select Security from the menu, you'll see "2-Step Verification" as an option. Check you have a Passkey enabled in the first option. And enable both a Google Prompt and Authenticator if you can.
But where it says "Phone Number" to "add phone numbers to get sign-in codes and security alerts," my advice is to delete your number and leave this disabled. That's not the same as "Recovery Phone," which is used "to reach you in case we detect unusual activity in your account or you accidentally get locked out."
You should audit the security on your key accounts. Google, Microsoft, Meta, Apple, Amazon, anything financial. For each one, it's a quick five point checklist: