Two-factor authentication is the process of extending the security around access by going beyond a simple username and password. Most people familiar with two factor have used it through their office jobs with a token that has a rotating set of numbers you need to enter. As the request and demand for security has been extending outward to social media, financial and regular websites. Those services are offering two factor authentication through a simpler method using cell phones text messaging to deliver a set of numbers.
SMS based two-factor will soon become a thing of the past as the US National Institute of Standards and Technology (NIST) has recently released a report stating SMS based two-factor is insecure and should be banned.
Their reasons do make sense and comes down to “device proofing” a cell phone to a user. The fact the the cellular networks and technologies and the underlying communication flows are so easy to spoof using text messages to transmit messages used in a security process is inherently insecure.
“If the out of band verification is to be made using an SMS message on a public mobile telephone network, the verifier SHALL verify that the pre-registered telephone number being used is actually associated with a mobile network and not with a VoIP (or other software-based) service. It then sends the SMS message to the pre-registered telephone number. Changing the pre-registered telephone number SHALL NOT be possible without two-factor authentication at the time of the change. OOB [Out of band verification] using SMS is deprecated, and will no longer be allowed in future releases of this guidance.”
Twitter, Google, PayPal and many other mainstream services use SMS for their two factor offering. That will soon change. This may have a negative impact on the security posture of the user base because SMS is basically hands-off and almost zero knowledge to use. Anyone can re-type a text message code. The alternatives will be to move to a software/app based token like Google Authenticator that generates authentication codes online or offline. The trade off is the user’s will need to learn a little bit to use and understand software based tokens and if it’s complicated, unfortunately, they will not enable the advanced security features. Worse, the services won’t force it because they don’t want to lose users.
Although from a technical position, SMS two factor is insecure under the right circumstances, but it’s better than standard username and password alone. If services continue to offer it they need to get creative on better tying a user to a device or make the user understand that this is not an optimal secure option.
Or the industry can fix the design flaws in the underlying Signal System 7 (SS7), but that’s not going to happen.
End of line.
Binary Blogger has spent 20 years in the Information Security space currently providing security solutions and evangelism to clients. From early web application programming, system administration, senior management to enterprise consulting I provide practical security analysis and solutions to help companies and individuals figure out HOW to be secure every day.