2013-Apr-19 - Using Phones/SMS as 2FA - Why I a not a believer

We often complain that TCP/IP is not secure and was not designed with security in mind. And that’s why we are in the security mess that we currently are. However, have you ever looked at phone networks? Or how SMS works? Talk about not considering security in a design...

However, we often rely on phones as a secure medium for password resets and two-factor authentication. That’s why I am not a believer and I actually avoid it whenever possible.

And not only the phone networks, but the phone companies are really bad at security:

  • Your voicemail is protected by only a 4-digit PIN. And on most carriers you can access your voicemail remotely.
  • Easy to phish. If you know some basic information about the person, you can get the PIN changed.
  • Easy to spoof. It is very easy to spoof an SMS message. There is no SSL or certificate to verify where it really came from.

A good example showing this insecurity happened to CloudFlare:

” AT&T was tricked into redirecting my voicemail to a fraudulent voicemail box; Google’s account recovery process was tricked by the fraudulent voicemail box and left an account recovery PIN code that allowed my personal Gmail account to be reset; “

So if you are relying on your phone or SMS to reset your passwords or for 2FA, think again. You might be opening yourself for more problems.

What should I use for 2FA

If you are looking to use 2FA, those are the options I suggest:

  1. Hardware-based devices. If you have the option to use RSA SecurID or Gemalto devices (used by Amazon), use them first.
  2. Google Authenticator. If a hardware-based device is not available, look for Google authenticator. Yes, it is an app on your phone, but it does not use SMS or rely on the phone network to authenticate you. They use time-based OTP instead, which is much better.
  3. IP-based authentication. This one can be used in conjunction with the others. If you can provide an IP address or IP range that is allowed, use that as well.
  4. No 2FA. If the only option available is SMS or call-based authentication, do not use 2FA. If you are using a service that allows multiple authentication choices, and it has a fall back mechanism allowing the user to choose a weak form of authentication, do not use it as well.

And please remember 2FA is not a substitute for a good password policy. Choosing uniques and good passwords is still the best option.

By Daniel B. Cid - Tags: sec - Notes index.

Quick Links


My Projects