SMS authentication is a simple and effective way to add extra protection to online accounts and we strongly advocate it. Most large services offer it as documented in recent articles on setting up this type of security for Google/Gmail and PayPal. Oddly, despite a growing number of anecdotes of fraud, Amazon only recently started offering the option for US account holders and it is still not enabled for UK account holders.
Or at least we thought that was the case.
Thinking laterally, it turns there is an incredibly simple way to enable two-factor SMS for UK users without having to wait until it is formally launched some time in 2016. All that is needed is an Amazon US account, something that many UK users will have anyway as a facility to send gifts to US relatives or to get hold of items not offered in the UK. This works because even though the UK and US accounts require different passwords and have separate portals, they are still linked by name, primary address, primary credit card and email ID. That applies to security which is managed as a single platform across countries.
Amazon two-factor SMS authentication – Your Account setting
Once armed with the Amazon US account, simply log in and find ‘Your Account’ > ‘Change Account Settings’. US users now have an extra option, ‘Advanced Security Settings’. At this point the user will be asked whether they want to enable SMS authentication.
Enter a UK mobile number, typing the six-digit SMS code sent to that handset. A backup mainline number can also be specified, a good idea in case the mobile is lost or out of action for some reason. This can be verified either by SMS or by receiving the same code via automated voice call.
As with Google Authenticator, Amazon also offers an app that will generate the same code from a smartphone even if there is no mobile service. Some people might find this more convenient.
To avoid having to generate a code every time the user logs in, Amazon allows individual devices (i.e. a PC, smartphone, tablet, etc.) to be whitelisted. Remember, however, that any new device from which Amazon is accessed will require a code every time the account is accessed unless it is added to the exception list.
From now on when visiting the UK Amazon, the service will ask for an authentication code even though that service if not officially enabled. The ‘Advanced Security Settings’ option even now appears under ‘Your Account’. Note that devices whitelisted for the US service will need to be whitelisted a second time for UK logins.
It is likely that SMS authentication will be offered to UK users in due course (we were unable to confirm when), at which point the US account will no longer be necessary. We still think it is poor that Amazon has lagged other big service providers in such an important form of security. As the world's number one e-commerce firm, Amazon could also do a lot to raise some awareness of the technology and its advantages.
Don’t live and learn, enable it now.