I must admit I was delighted to receive an email today from UK high street pharmacy Boots telling me I should enable two-factor authentication on my account.
Boots customers would have benefited from two-factor authentication a couple of years ago, when hackers attempted to gain access to customers’ Boots Advantage Card accounts, and temporarily stopped payment with Boots Advantage Card points as a result.
Two-factor authentication, often called 2FA, helps harden accounts from being hacked. In a nutshell, 2FA means that criminals shouldn’t be able to access your online account just by guessing/stealing your username and password because the login process also demands an additional method of identification.
So, if I were to try to log into my Twitter account, eBay account, email account, whatever I would also be asked to enter a one-time passcode. That one-time passcode might be generated by an authentication app on my phone, or provided by a hardware key that is – hopefully! – in my possession rather than that of the hacker.
It’s not a 100% guarantee that your account won’t get hacked, but it certainly makes it much trickier for attackers, many of whom may decide to target accounts that haven’t enabled 2FA instead.
Okay, so with all that understood, I’m pleased Boots sent me an email saying that they encouraged me to enable two-factor authentication.
But there’s the problem. Although it’s a good thing that Boots is pushing account holders to enable 2FA protection, they are not offering 2FA via a method such as hardware key or authentication app. Perhaps the best known authentication app, available for iOS and Android, is Google Authenticator, but others include Microsoft Authenticator, Duo, and Authy.
Instead, Boots is requiring you to tie your account’s 2FA-protection to a mobile phone number.
What Boots is going to do is send you an SMS text containing a one-time passcode when you try to log into your account. You’ll be required to enter that code to successfully log in.
Any 2FA is better than no 2FA, and I would still encourage Boots customers to enable this feature.
But this form of 2FA protection has been abused time and time again by criminal who have found ways to access other people’s text messages – whether it be tricking cellphone operators into diverting messages to a device under their control or using malware to spy upon codes sent via SMS.
This is the reason why organisations like the US National Institute for Standards and Technology (NIST) stopped recommending SMS-based 2FA years ago.
I like that Boots is recommending its users enable 2FA. I don’t like that they have missed an opportunity to promote a stronger form of 2FA, rather than one which we all need to move away from.
Found this article interesting? Follow Graham Cluley on Twitter or Mastodon to read more of the exclusive content we post.
3 comments on “Boots lets down its customers, by only offering SMS-based 2FA”
Think of their target market, many many older folks. I would hazard that most would have no idea what an auth key or app is, and have no chance of installing one. SMS is still a great improvement.
I've tried to log in from NZ and it dines't work. I supply my mobile phone and the code is never sent. So I can't shop online for an upcoming trip to the UK. Hopeless. It's not the first time UK suppliers fail to think of overseas customers
This has happened to me too, they should think of loyal customers from over see, I shop from good molecules, amazon and from the soopery too but I have never experienced failure in receiving the authentication code via my Tanzania number like it has happened with boots. So I had to find someone in UK to help me out so that I was able to login to my account again, I came to figure this out after a week. Try adding a UK number or any number from a country where there are boots store you will be successfully though this is not sustainable.
Boots should work on that please, you will loose good customers like us.