Is it OK to use SMS for 2-factor authentication? [Ask ZDNet]





Welcome to the first episode of a new weekly advice column, Ask ZDNet. It’s an age-old editorial format, like Dear Abby, but with a much better understanding of modern technology.

This week, we tackle three tricky questions: Is texting too dangerous to be used as a second factor in 2FA? Do you really need Windows 11 Pro edition? And why do batteries in smoke detectors always seem to die in the middle of the night?

If you have a question about any of the topics covered by ZDNet, one of our editors and contributors probably has an answer. If they don’t, we’ll find an outside expert who can point you in the right direction.

Questions can cover just about any work and technology-related topic, including PCs and Macs, mobile devices, security and privacy, social media, home office equipment, consumer electronics, business etiquette, financial advice… well, you get the idea.

Send your questions to ask@zdnet.com. Due to the volume of submissions, we cannot guarantee a personal response, but we promise to read every letter and respond here to any that we think will be of interest to our readers.

Ask away.

Is it OK to use SMS for 2-factor authentication?

I know I’m supposed to use 2-factor authentication for everything, but I keep reading that using text messages for 2FA is dangerous. Should I really be worried about this? What are my alternatives?

First things first: yes, setting up 2FA is a crucial security step for any important online account. When this form of authentication is enabled, you must provide a second proof of your identity when you first sign in to an online service on a device. If your password is stolen during an online data breach or someone tricks you into giving it up, the attacker can’t access your account because they don’t have access to a second authentication factor. (For a detailed explanation, see “Multi-Factor Authentication: How to Enable 2FA to Boost Your Security.”)

The most basic form of 2FA involves a text message, sent via SMS to a phone you previously registered with your account. After typing your password, you receive a text message with a code that you enter as the last authentication step.

SMS-based 2FA is absolutely better than no 2FA. But it’s vulnerable to a variety of attacks, including SIM swapping, where the bad guy is able to intercept SMS messages and take control of the account. This type of attack is labor intensive and is more likely to target a high-value account, such as someone who works in the help desk of a large company. But even if you’re not the target of a global hacking network, it’s a good idea to avoid SMS authentication whenever you can.

There are two great alternatives to SMS-based 2FA codes. The first is a free authenticator app, which generates 2FA codes or receives approval prompts right on your phone. (For more details, see “Protect Yourself: How to Choose the Right Two-Factor Authentication App.”) For maximum security, consider a physical hardware key that you connect via USB or NFC. Hardware keys cost more and aren’t as easy to use, but they’re great for high-value accounts that need extra protection. (See “YubiKey Hands-on: Hardware-based 2FA is more secure, but watch out for these pitfalls.”)

Where are all the PCs with Windows 11 Pro?

I’m ready to buy a new PC, but all the PCs I see for sale at my local outlets are running Windows 11 Home Edition. Should I upgrade to Pro? How to do without spending a fortune?


As you have noticed, the PC industry is extremely price sensitive. The reason you see so many PCs running Windows Home Edition is that it costs PC makers less than the Pro Edition, allowing them to lower the price of a PC model by around $100.

For most consumers, the Home edition is good enough. However, businesses that run on Windows corporate networks need the Pro edition because it requires joining a PC to a Windows domain or Azure Active Directory account and then managing that PC with the group and mobile device management software.

The Pro edition has a few extra features you might be willing to pay for, especially if you plan to use your PC for business.

  • It supports full BitLocker encryption without requiring the user to sign in to a Microsoft account. It also enables the use of Windows information protection features for secure document sharing.
  • You can use the full Hyper-V virtualization platform to create and run virtual machines.
  • You can configure the Pro edition to be a remote desktop server, allowing you to connect to it remotely from another Windows PC (even one running the Home edition) or from a Mac or mobile device.
  • Instead of installing updates on Microsoft’s schedule, you can set up custom schedules for devices, deferring updates for up to 30 days while you wait for others to encounter bugs related to the update.

But that’s about all.

If you prefer a PC that comes with Windows 11 Pro (or Windows 10 Pro, for that matter), your best bet is to look online, where you can find stores specializing in PCs designed for business. You can also go to online resellers like Dell, who will be happy to configure a PC to your specifications. Adding the upgrade to Windows Pro usually costs between $50 and $80.

Or you can buy one of these PCs with the Home Edition installed and upgrade it yourself.

If you have a license key for a Pro or Business edition of Windows 7, Windows 8.1, or Windows 10, you can use it to upgrade. (Instructions here: “How to upgrade Windows 10 Home to Pro for free.”)

You can also purchase the Pro license online. The full retail price is $200 (ouch) on the Microsoft Store. You can find legitimate discounts of around $50 from other online retailers, but be wary of any discount more generous than that. If you see someone offering a “lifetime license” for Windows 11 Pro for $49, chances are the seller isn’t authorized to distribute that license, and there’s a chance (small, but not void) that Microsoft may revoke your license key in the future.

How do I silence this smoke alarm chirp?

The smoke detector mounted in the ceiling of my bedroom started ringing again last night, waking me from a restful sleep. I’m tempted to disconnect it completely. Do you have any suggestions on how to set things up so I can get an uninterrupted night’s sleep again?

According to the folks at Kidde, which makes smoke detectors, there’s actually a reason for those chirps at night.

As a smoke alarm battery nears the end of its life, the amount of energy it produces causes internal resistance. A drop in ambient temperature increases this resistance, which can impact the battery’s ability to provide the power needed to operate the unit in an alarm condition. This battery feature can cause a smoke alarm to go into low battery beep mode when the air temperature drops. Most homes are coolest between 2 a.m. and 6 a.m.

Now that we’ve fixed that, please do not unplug your smoke detector. It can literally save your life by giving you early warning of a fire so you have time to escape. Modern alarms can also detect another potential killer: odorless but deadly carbon monoxide.

The easiest solution is to set a schedule reminder to change these batteries around the same time every year, using new, high quality lithium batteries. Do not use rechargeable batteries and do not use batteries that have been stored for some time. For those of us in the northern hemisphere, Halloween is a good date, in my experience, as it leads into winter when windows are likely to be closed most of the time and house fires ( and carbon monoxide poisoning) are statistically more likely.

If you’d rather avoid this annual chore, get batteries specifically designed for long-term use in smoke detectors and other critical devices. The Energizer Ultimate Lithium battery, for example, is designed to last 10 years, which is also how often most smoke detectors need to be replaced. Don’t forget to set a calendar reminder in a decade to replace those batteries!


Send your questions to ask@zdnet.com. Due to the volume of submissions, we cannot guarantee a personal response, but we promise to read every letter and respond here to any that we think will be of interest to our readers. Be sure to include a working email address in case we have follow-up questions. We promise not to use it for other purposes.




Leave a Comment

x