Every day, millions of people sign in to their email, banking app or social media accounts with both their password and a one-time login code they receive by text message. The codes often arrive with a warning: “Do not share this with anyone.” The recipients of those warnings, though, have no way of knowing who saw it before it got to them.When companies generate messages with one of these so-called two-factor authentication codes, they almost never send them directly. Instead they outsource the...