Latest Internet News

Do Not Forward: SMS Two-Factor Authentication (2FA) Security

Passwords aren’t secure – you’ve probably heard this a thousand times. Year after year, studies demonstrate that people use weak passwords (123456, really?) and reuse them across multiple accounts. As a result, passwords are increasingly untrustworthy to manage access to sensitive resources.

Do Not Forward: SMS Two-Factor Authentication (2FA) Security 1

This is a serious problem since passwords are a key component of most organizations’ data security strategy. We assume that only authorized users know their password, which makes it easy to differentiate the people who should be allowed access to systems or data from those who shouldn’t.

Luckily for us, passwords don’t have to be the final defense line when protecting our online accounts. Websites increasingly offer two-factor authentication (2FA) to bolster our security funds. Instead of just needing a password to access the report, we also need to give some other information (typically a 4-6 digit code) to gain access. The assumption is that the attacker only can get the password, not the code, so there is no way that they can get in. But how valid is that assumption for SMS-based 2FA?

Not All 2FA Are Created Equal.

Two-factor authentication (2FA) comes in several different types. Technically, 2FA is a subset of multi-factor authentication (MFA), which involves two or more of something you know (like a password), something you have (like a key), and something you are (like a fingerprint).

Traditionally, 2FA is based on one-time codes using the time-based one-time password (TOTP) protocol. This combines the two factors of something you know (your password) and something you have (the mechanism used to send you the one-time code). The 2FA scheme’s security is based on the tool’s safety for sending you that code.

There are several different methods of delivering one-time codes to you. These include:

  • SMS-Based: A code is texted to a phone number on file for you
  • Phone-Based: You receive a phone call with the regulation in it (rarer)
  • Email-Based: You receive an email with the regulation in it
  • App-Based: You add your account to an app like Duo or Google Authenticator, and it generates codes for you
  • Token-Based: You have a physical token like a Yubikey or RSA SecurID that handles authentication

Of these options, SMS-based 2FA is the most widely offered. However, this option doesn’t quite reach the same security levels as some others.

The Issues with SMS-Based 2FA

If you visit almost any website offering two-factor authentication, SMS-based 2FA is probably an option. However, the National Institute of Standards and Technology (NIST), the US government agency that (as part of their job) guides security topics, said that organizations should stop using it way back in 2016.

The reason why SMS-based 2FA is deprecated is that there are so many ways to break it. A list of possibilities includes:

  • Phone Number Porting: For high-profile or valuable accounts, hackers will contact the victim’s cellular provider and request that the number be ported to a new service under the hacker’s control. All they have to do is guess the verification questions (which are usually weak). As a result, they own the number and intercept SMS codes (and calls, texts, etc.).
  • SIM Hijacking: A similar attack to porting is when the attacker enters the cellular provider’s store and requests a replacement SIM card for the victim’s number. By completing the verification steps (or bribing the underpaid clerk), they can get the only SIM card for that number. As a result, all of the victim’s 2FA codes (and all other calls and texts) go to the hacker instead.
  • Online Portals: Many cellular providers let you check your text messages online. Many people use or reuse weak passwords, making this a viable way to get the 2FA codes.
  • Phishing: Attackers will set up phishing sites or send text messages to the user designed to get them to send their 2FA codes to the attacker. This theoretically can work on any 2FA system.
  • Malware: Malware installed on your smartphone can read your SMS messages. Did you check the permissions before installing that app?
  • SS7 Network: The SS7 network is the system used to send SMS messages to phones, and it’s known to be insecure. Hacking the SS7 network allows attackers to read your 2FA codes while en route to you.

Still, feeling confident that your SMS-based 2FA system keeps you (and your users) safe? SMS-based authentication is better than nothing, but since better options are available, it’s probably a good idea to switch to them whenever possible.

Securing Your Accounts

Two-factor authentication can be a powerful tool when securing online accounts. The massive number of recent data breaches and the fact that users commonly use weak passwords and reuse them across accounts means that passwords are not enough to keep us safe. 2FA is necessary to close the gap.

However, SMS-based 2FA is unreliable for several reasons. This has impacts on us both as individuals and as organizations. Whenever possible, individuals should opt for a stronger form of 2FA when available (and request it when it isn’t). Organizations should roll out more secure 2FA options for external (i.e., customer accounts) and internal (i.e., employees) to better protect their resources and sensitive data.

Organizations should also consider a data security solution for protecting their sensitive resources. 2FA systems not based on SMS are a good starting point, but phishing attacks can defeat even them. A data security solution that can differentiate legitimate users from attackers with legitimate credentials can be a major asset to an organization’s cybersecurity strategy.

About author

I work for WideInfo and I love writing on my blog every day with huge new information to help my readers. Fashion is my hobby and eating food is my life. Social Media is my blood to connect my family and friends.
    Related posts
    Latest Internet News

    The Never Before Told Story About Facebook Quotes You Need to Read or Be Left Out

    Latest Internet News

    Enjoy Tech While Staying on Top of your Cyber security

    Latest Internet News

    Top 7 US Cities to Celebrate New Year’s Eve in

    Latest Internet News

    Burhan Wani loss of life anniversary

    Sign up for our newsletter and stay informed !