2FA Codes via E-Mail – here’s how

Two-factor authentication (2FA) most commonly works using one-time passwords – short codes that are often sent to the user by SMS. Each of these passwords can only be used once. For many areas this additional level of security is important or at least sensible, especially anywhere personal data or finances are involved.

For teams in which several members share certain accounts, it can make sense to receive the one-time password via e-mail. An e-mail is much faster and easier to forward than an SMS. In the worst case, two-factor codes are written on paper and carried from office to office by hand, which takes time and is highly insecure.

Forwarding by e-mail, which is then available to the relevant team members, is much more efficient. Here we explain how this works in the seven system.

What you need to forward 2FA codes via E-Mail

First you need an seven account – the setup is free of charge.

To receive your one-time passwords by e-mail, you will also need an inbound number. Please make sure that you pick a number that is labelled with A2P, because only those are able to receive SMS by alphanumerical senders.

Then set up the forwarding of incoming messages by e-mail in your account under Settings -> Inbound SMS. If you now specify the corresponding phone number as the recipient for two-factor authentications, you will receive the one-time passwords by e-mail and can make them accessible to the team. Whether you use a shared E-Mail account or just forward the codes as needed is up to you.

Is it really safe?

For security reasons, it should be noted that this method reduces the level of additional security through multi-factor protection. Furthermore, 2FA based on SMS codes is not exactly the safest thing to do in the first place. The problem lies generally in the sending of SMS messages via the mobile network. As TheVerge reported, it is quite easy for hackers to hijack messages to gain access to an account. We do understand however, that for various reasons more secure methods may not be an option. For example, although it is rare, some services only use SMS for 2FA. In other cases various team members may not work in the same office, building, city or even country, preventing the use of physical security keys. Forwarding login credentials may still be necessary in these teams.

If you want to be more secure, you should consider other options such as special apps or physical security key generators. However, these are again only available to one team member at a time. Since they often work with time-limited security codes, forwarding them by e-mail or SMS doesn’t make much sense. This may seem inconvenient for teams, but is definitely more secure.

Conclusion

Forwarding 2FA codes received by SMS via E-Mail may not be the safest application possible. Depending on your situation as a company or team, it may be the most sensible solution however. Obviously, strict adherence to compliance is always recommended, but in this scenario, it’s even more important. After all, the best protection against hackers and other forms of attack is caution. At seven, we’re happy to help you make your accounts a bit safer and providing the technical framework for team-friendly 2FA.

Header picture by BestForBest via iStock.com, edited.

Edited 11/14/22: Added info about virtual phone numbers that can receive SMS from alphanumeric senders.

Edited 07/03/24: Replaced info on virtual phone numbers with the info to get an A2P number.