Any plans on 2FA with SMS?


Just wondering, are you guys planning on adding 2FA with SMS any time soon? I think adding SMS 2FA would really boost WordPress security.

P.S. Thanks for always working on making WP Cerber better.

1 Like

We’ll soon implement support for TOTP mobile apps, such as Google Authenticator, instead.

We’ve decided not to use SMS for sending 2FA codes, and here’s why: First off, SMS messages aren’t end-to-end encrypted, which means they could potentially be intercepted during transmission. Next, there’s a real risk of SIM swap attacks. In such attacks, a bad actor could take over user’s phone number and intercept their text messages, including 2FA codes. Another concern is that some apps on a user phone have access to read your SMS messages. This can lead to 2FA codes being exposed if one of those apps is compromised. Additionally, many people are hesitant to share their mobile numbers due to privacy concerns. Lastly, sending text messages isn’t free. You need to use a paid service provider like Twilio to send 2FA codes via SMS, which involves additional costs.

For all these reasons, we believe it’s safer and more efficient to use emails and TOTP for 2FA. Using email has its own advantages: it is an natural part of a user’s profile on any WordPress-powered website, and email is available on any smartphone, tablet, or desktop computer.