Boots lets down its customers, by only offering SMS-based 2FA

Boots lets down its customers, by only offering SMS-based 2FA

I must admit I was delighted to receive an email today from UK high street pharmacy Boots telling me I should enable two-factor authentication on my account.

Boots customers would have benefited from two-factor authentication a couple of years ago, when hackers attempted to gain access to customers’ Boots Advantage Card accounts, and temporarily stopped payment with Boots Advantage Card points as a result.

Two-factor authentication, often called 2FA, helps harden accounts from being hacked. In a nutshell, 2FA means that criminals shouldn’t be able to access your online account just by guessing/stealing your username and password because the login process also demands an additional method of identification.

Sign up to our free newsletter.
Security news, advice, and tips.

So, if I were to try to log into my Twitter account, eBay account, email account, whatever I would also be asked to enter a one-time passcode. That one-time passcode might be generated by an authentication app on my phone, or provided by a hardware key that is – hopefully! – in my possession rather than that of the hacker.

It’s not a 100% guarantee that your account won’t get hacked, but it certainly makes it much trickier for attackers, many of whom may decide to target accounts that haven’t enabled 2FA instead.

Okay, so with all that understood, I’m pleased Boots sent me an email saying that they encouraged me to enable two-factor authentication.

Boots 1

But there’s the problem. Although it’s a good thing that Boots is pushing account holders to enable 2FA protection, they are not offering 2FA via a method such as hardware key or authentication app. Perhaps the best known authentication app, available for iOS and Android, is Google Authenticator, but others include Microsoft Authenticator, Duo, and Authy.

Instead, Boots is requiring you to tie your account’s 2FA-protection to a mobile phone number.

Boots 2fa

What Boots is going to do is send you an SMS text containing a one-time passcode when you try to log into your account. You’ll be required to enter that code to successfully log in.

Any 2FA is better than no 2FA, and I would still encourage Boots customers to enable this feature.

But this form of 2FA protection has been abused time and time again by criminal who have found ways to access other people’s text messages – whether it be tricking cellphone operators into diverting messages to a device under their control or using malware to spy upon codes sent via SMS.

This is the reason why organisations like the US National Institute for Standards and Technology (NIST) stopped recommending SMS-based 2FA years ago.

I like that Boots is recommending its users enable 2FA. I don’t like that they have missed an opportunity to promote a stronger form of 2FA, rather than one which we all need to move away from.


Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

4 comments on “Boots lets down its customers, by only offering SMS-based 2FA”

  1. Angus Bradley

    Think of their target market, many many older folks. I would hazard that most would have no idea what an auth key or app is, and have no chance of installing one. SMS is still a great improvement.

  2. Rachel

    I've tried to log in from NZ and it dines't work. I supply my mobile phone and the code is never sent. So I can't shop online for an upcoming trip to the UK. Hopeless. It's not the first time UK suppliers fail to think of overseas customers

    1. Johanitha · in reply to Rachel

      This has happened to me too, they should think of loyal customers from over see, I shop from good molecules, amazon and from the soopery too but I have never experienced failure in receiving the authentication code via my Tanzania number like it has happened with boots. So I had to find someone in UK to help me out so that I was able to login to my account again, I came to figure this out after a week. Try adding a UK number or any number from a country where there are boots store you will be successfully though this is not sustainable.
      Boots should work on that please, you will loose good customers like us.

  3. Betty Warren

    This is ok until you change your number & then want to change it in the app only to find they need to verify you on this via your old phone number that you haven't got changed in teh account I even rang up to change it but still they keep trying to send a code to my old number to which i no longer have access

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.