Boots lets down its customers, by only offering SMS-based 2FA

Boots lets down its customers, by only offering SMS-based 2FA

Boots lets down its customers, by only offering SMS-based 2FA

I must admit I was delighted to receive an email today from UK high street pharmacy Boots telling me I should enable two-factor authentication on my account.

Boots customers would have benefited from two-factor authentication a couple of years ago, when hackers attempted to gain access to customers’ Boots Advantage Card accounts, and temporarily stopped payment with Boots Advantage Card points as a result.

Two-factor authentication, often called 2FA, helps harden accounts from being hacked. In a nutshell, 2FA means that criminals shouldn’t be able to access your online account just by guessing/stealing your username and password because the login process also demands an additional method of identification.

EmailSign up to our newsletter
Security news, advice, and tips.

So, if I were to try to log into my Twitter account, eBay account, email account, whatever I would also be asked to enter a one-time passcode. That one-time passcode might be generated by an authentication app on my phone, or provided by a hardware key that is – hopefully! – in my possession rather than that of the hacker.

It’s not a 100% guarantee that your account won’t get hacked, but it certainly makes it much trickier for attackers, many of whom may decide to target accounts that haven’t enabled 2FA instead.

Okay, so with all that understood, I’m pleased Boots sent me an email saying that they encouraged me to enable two-factor authentication.
Boots 1

But there’s the problem. Although it’s a good thing that Boots is pushing account holders to enable 2FA protection, they are not offering 2FA via a method such as hardware key or authentication app. Perhaps the best known authentication app, available for iOS and Android, is Google Authenticator, but others include Microsoft Authenticator, Duo, and Authy.

Instead, Boots is requiring you to tie your account’s 2FA-protection to a mobile phone number.

Boots 2fa

What Boots is going to do is send you an SMS text containing a one-time passcode when you try to log into your account. You’ll be required to enter that code to successfully log in.

Any 2FA is better than no 2FA, and I would still encourage Boots customers to enable this feature.

But this form of 2FA protection has been abused time and time again by criminal who have found ways to access other people’s text messages – whether it be tricking cellphone operators into diverting messages to a device under their control or using malware to spy upon codes sent via SMS.

This is the reason why organisations like the US National Institute for Standards and Technology (NIST) stopped recommending SMS-based 2FA years ago.

I like that Boots is recommending its users enable 2FA. I don’t like that they have missed an opportunity to promote a stronger form of 2FA, rather than one which we all need to move away from.

Found this article interesting? Follow Graham Cluley on Twitter to read more of the exclusive content we post.


Graham Cluley is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s when he wrote the first ever version of Dr Solomon’s Anti-Virus Toolkit for Windows. Now an independent security analyst, he regularly makes media appearances and is an international public speaker on the topic of computer security, hackers, and online privacy.

Follow him on Twitter at @gcluley, or drop him an email.

Leave a Reply

Your email address will not be published.