When we read about changes to the safety aspects of a company or product, it's often about improvements that make them more secure and safer. Considering the ever-growing increase in cybercrimes and online attacks, this is what we expect. However, today's news about T-Mobile tells a different story. The carrier has allegedly removed support for an important security feature.
T-Mobile, one of the largest network carriers in the US, is already infamous for its data breaches and online attacks, and its latest move has further upset people. According to some Reddit users, the carrier has removed 2FA support with Google Authenticator, raising concerns about their account's security.
T-Mobile Seems To Have Removed Support For 2FA With Google Authenticator
While logging into their T-Mobile account, users have the option to set up two-factor authentication (2FA) along with their password using SMS or Google Authenticator. The latter generates a time-based one-time password (TOTP) to make accessing the account more secure.
However, PhoneArena has spotted users on Reddit complaining that they are no longer seeing the option to log in to their T-Mobile account with Google Authenticator.
A user named “lunakoa” posted, “I just logged into my account and saw that TOTP is no longer available, only SMS. Is it just me or is anyone else seeing this? Wondering if it got removed by me somehow.”
Another user, “MrEdLu,” wrote in a different post, “No option to use it (Google Authenticator) for my login and no option to add it in my profiles. T-Mobile is going backward in security.“ Both these threads were filled with responses from people agreeing with this change.
Google Authenticator is Both More Secure and Convenient Than SMS
Firstly, Google Authenticator is more secure than authenticating via SMS. It's because the one-time password (OTP) sent via SMS can be intercepted by hackers by gaining access to a phone network or SIM card.
Recently, it was also reported that T-Mobile and Verizon employees were offered money in exchange for swapping the SIM cards of customers. Issues like these make SMS-based authentication even more insecure. In contrast, TOTPs are generated locally on devices and are harder to steal.
Moreover, TOTP codes on Google Authenticator are valid for just 30 seconds, making it harder for attackers to steal your data even if they intercept it somehow. SMS-based OTPs, on the other hand, have a longer validity, making them more vulnerable.
The convenience factor is also better with Google Authenticator. If you don't have a network connection or can't access your SIM card for some reason, you can still log in via Google Authenticator easily. Besides, families with multiple T-Mobile accounts don't have to depend on the person with the main line for OTPs. Removing the TOTP support is not a good idea, for sure.
Data Breaches and T-Mobile Are Old Friends
T-Mobile has been home to quite a lot of data breaches lately. It suffered three of them last year alone. These breaches have affected millions of customers, revealing their sensitive information like names, Social Security numbers, driver's license info, and more. This has also led to financial settlements for T-Mobile, costing it millions of dollars.
The carrier has not directly confirmed the removal of TOTP-based authentication, or if this change is temporary or permanent. Earlier, T-Mobile also allowed 2FA via email, which it removed a few years back. Is it time to say goodbye to Google Authenticator now?
We'll have to wait for an official statement to know that for sure. And if it does happen, people are gonna get upset and might approach the FCC for a solution. Even when T-Mobile hiked its prices last month, some users were furious and planned to knock on the doors of the regulatory agency.
