Is using Google Voice number for two-factor authentication a big mistake?

Question

Two-factor authentication is growing in popularity as a security measure. For example, Google, Facebook, Twitter, and many other services all have two-step security options today as well as many banks and credit unions.

I'm wondering whether using a Google Voice telephone number as the so called Physical device to which one would receive text message codes to confirm one's possession of the Physical device is a mistake since potentially your GV account could be hacked, and then your Physical device is effectively stolen?

What if you are using two-factor Google authentication which puts an application on your smart phone to confirm identity, does that make using GV for others safe if you assume Google is safe?

Answer 1

Let's go through some possible 2-factor options and possible forms of attack:

• Non Google-voice SMS
  • If someone steals your phone and can get past any lock:
    • Any service that already trusted your phone as a device they will have full access to
    • They have access to your email and can hijack trusted accounts that allow account password resets via email (though 2fa may save you depending on the service)
    • They cannot access accounts which never trust devices unless they know your password
  • Via social engineering attack they can attempt a SIM-swap but they will need your password to access any sites
  • Malware on your 2FA device or accessing device.
• Google-voice SMS/Phone Call
  • If they steal your device and get past any lock:
    • The same as the above applies
  • If they steal ANY OTHER device that has google voice installed, bypass any password protection (on Linux, Windows, Mac this often possible) AND they have your password or it is a trusted device with a service, they could possibly gain full access to accounts.
  • Malware on your 2FA device or accessing device.
  • If they hit the 'reset password link' on a site:
    • If they have phished for your email password and you DONT have 2fa on your email AND you have GV and email on the same account (or the same pass on two different google accounts), then Alan is exactly correct that this is essentially not 2fa. If you DO have 2fa on your email, then it is still 2fa. They can phish for your google password, and when they have it they can go to any website and select 'forgot password', but it won't help because they don't have the second 'thing you have', namely a SEPARATE (see below) GV account for 2fa. The gmail pass doesn't help them get into the site. But you DONT want GV on the same gmail account that your 2fa is on anyways (see below), so usually this WILL be 2fa as long as you have different passwords on each account.
  • (YOU CAN LOCK YOURSELF OUT: DO NOT USE THE SAME GOOGLE ACCOUNT FOR BOTH GOOGLE VOICE TO RECEIVE 2FA AND THE ACCOUNT THAT SENDS OUT THE 2FA)
• A 'push' authentication like Duo
  • If they steal the device:
    • If they can bypass the password for the device they can use 2fa directly.
  • If they steal any other device that has a push service installed
• A code generator:
  • If they steal a device:
    • If they can bypass the password for the device they can directly access 2fa.
  • Malware on your 2FA device or accessing device.

In summary, GV is or is not a 'big mistake' depending on the level of risk you want to take. Push or code generation is probably the safest but they each have their own attack vectors. Malware is very unlikely but not impossible (and all but push are vulnerable). Your device stolen AND a motivated attacker trying to hijack your accounts is also very unlikely but possible. But all methods are vulnerable to your device being stolen. GV adds additional risk because now ANY GV device that is stolen can be vulnerable to attack. But GV does add extra convenience: you can push to multiple devices, you don't have to go get your phone, you can see it pop up on your laptop and just enter it. Is it worth the extra risk? (Maybe there is a 2% chance you get your device stolen in a year (true with any method, but worse with GV because you have other devices that can get stolen), and a 5% chance that the attacker is motivated enough to hijack your accounts. So that's your absolute risk, is it worth it? That's up to you.

But if you do go with GV the tips are:

• EDIT 3/21: There are now several services that allow you to have 2FA time-based auth synced with multiple devices (Authy is one example of several). Consider that as an alternative to using google voice for the convenience (if you usually, and don't want to, have to go walking across the house to unlock your account).
• Make sure you DONT use 2FA with your google acount ON THE SAME ACCOUNT as GV
• Make sure ALL your devices are password/pin protected with a strong password
• As soon as you notice a device is stolen change your passwords and 2fa methods for ALL important accounts IMEEDIATELY
• Turn 2fa on for your all your email accounts (but see the first point!) your email is a treasure trove for hackers because of the history and password reset abilities.

(Think up any other attack vectors? any corrections? Let me know and I'll add it to the list.)

Answer 2

The main problem with this would be when someone has malware on your computer (such as a keylogger) they would be able to get your Google Voice password as well as your normal account password. They could then get past the two factor authentication. If you always access Google Voice from a separate system you'd still technically be two factor though.

Answer 3

If you restricted access to your Google Account and implemented multi-factor authentication to access it prior to accessing Google Voice it'd increase the threshold of unauthorized access and would be safer to use. But often users don't use PINs or anything else on their physical devices either and of course you can't physically lose it either.

If your phone number is compromised you're easily able to change it too using Google Voice.

Answer 4

Yes it is a mistake. You've made your account more secure, but not with a 2nd factor.

There are three factors for identification: something you know, something you are, and something you have.

In this case, something you have, is supposed to be a physical device (your mobile phone) that only you (in theory) have access to.

While Google Voice allows SMS traffic, it also allows anyone with a computer, an internet connection, and your credentials to access to your SMS, so you've diminished the factor quite significantly. Instead of 2-factor, you actually have a single factor, a password, used twice: your site password, and the password for your google voice account. This is not 2-factor auth.

It's not different in reality, than clicking the "forgot my password" link, and having the reset link sent to your google account (which is the same account used to access Google voice).

Answer 5

One use case that's been ignored in the answers thus far is for those who are unable to keep their physical phone on their persons at all times. If you're not allowed your cell phone at work for example, I'd argue that using Google Voice as your two factor authentication source is a huge step over not having two factor authentication at all. No, it's not perfect and it is susceptible to risk, but that risk is much less of a risk than what it would be just leaving your services as password authentication only.

I guess I'm saying to use common sense. If you're able to keep your phone on you every time you need to log in somewhere then don't bother using Google Voice as it's a risk, but if you can't always access your second authentication device, make that authentication be Google Voice to give you better security than a single authentication source.