Using SMS as 2FA - Not a good idea

We often complain that TCP/IP is not secure and was not designed with security in mind. And that’s why we are in the security mess that we currently are.

However, very few people complain about phone networks. Or SMS. They are far more insecure than what we have in the Internet right now (with TCP/IP + HTTPS).

And that's a big problem. Why? Because we often rely on phones as a "secure" medium for password resets and two-factor authentication. That’s why I am not a believer and I actually avoid it whenever possible.

And not only the phone networks, but the phone companies are really bad at security.

Think about it:

1- Your voicemail is protected by only a 4-digit PIN. And on most carriers you can access your voicemail remotely.
2- Easy to phish. If you know some basic information about the person, you can get the PIN changed.
3- Easy to spoof. It is very easy to spoof an SMS message. There is no SSL or certificate to verify where it really came from.

A good example showing this insecurity happened to CloudFlare:

"AT&T was tricked into redirecting my voicemail to a fraudulent voicemail box; Google’s account recovery process was tricked by the fraudulent voicemail box and left an account recovery PIN code that allowed my personal Gmail account to be reset;"

So if you are relying on your phone or SMS to reset your passwords or for 2FA (two factor authentication), think again. You might be opening yourself for more problems.

What should you use for 2FA instead?

If you are looking to use 2FA, which you should, those are the options I suggest:

1- Hardware-based devices. If you have the option to use RSA SecurID or Gemalto devices (used by Amazon), use them first.
2- Google Authenticator. If a hardware-based device is not available, look for Google authenticator. Yes, it is an app on your phone, but it does not use SMS or rely on the phone network to authenticate you. They use time-based OTP instead, which is much better.
3- IP-based authentication. This one can be used in conjunction with the others. If you can provide an IP address or IP range that is allowed, use that as well.
4- No 2FA. If the only option available is SMS or call-based authentication, do not use 2FA. If you are using a service that allows multiple authentication choices, and it has a fall back mechanism allowing the user to choose a weak form of authentication, do not use it as well.

And please remember 2FA is not a substitute for a good password policy. Choosing uniques and good passwords is still the best option.

Posted in   passwords   thoughts     by Daniel Cid (dcid)

Coding for fun and profit. Often fun and little profit.