Just wanted to post this about something rather annoying I found out the other day regarding Amazon’s security. So for the security conscious of us – the obvious option for increasing the security of an Amazon account is by using an authenticator app and not SMS/text 2FA. This is because SMS-based 2FA is vulnerable to SIM swapping attacks – a process by which an attacker “swaps” your SIM to their phone by social engineering. So the logical thing would be to enable app authenticator and disable SMS – right?
Well, no – because it’s impossible. When you turn on app based authentication it sets up SMS as a backup which makes using an authenticator app nearly worthless compared to SMS.
Some users report success removing their phone number from their account before enabling 2FA, but this has the downside of no SMS notifications for things like security or order updates because the moment you add a phone number again, it is set up as back up.
It seems like I’m not the only one who has documented this online and I do hope Amazon does eventually look into and mitigate this issue.