Passwords aren’t secure – you’ve probably heard this a thousand times. Year after year, there are studies demonstrating that people use weak passwords (123456, really?) and reuse them across multiple accounts. As a result, passwords are increasingly untrustworthy as a means of managing access to sensitive resources.
This is a pretty serious problem since passwords are a key component of most organizations’ data security strategy. We make the assumption that only authorized users know their password, which makes it easy to differentiate the people that should be allowed access to systems or data from those that shouldn’t.
Luckily for us, passwords don’t have to be the final line of defense when protecting our online accounts. Websites are increasingly offering two-factor authentication (2FA) as an option to bolster the security of our accounts. Instead of just needing to provide a password to gain access to the account, we also need to provide some other piece of information (typically a 4-6 digit code) to gain access. The assumption is that the attacker only has the ability to get the password, not the code, so there is no way that they can get in. But how valid is that assumption for SMS-based 2FA?
Not All 2FA Are Created Equal
Two-factor authentication (2FA) comes in several different types. Technically, 2FA is a subset of multi-factor authentication (MFA), which involves two or more of something you know (like a password), something you have (like a key), and something you are (like a fingerprint).
Traditionally, 2FA is based on one-time codes using the time-based one-time password (TOTP) protocol. This combines the two factors of something you know (your password) and something you have (the mechanism used to send you the one-time code). The security of the 2FA scheme is based on the security of the mechanism for sending you that code.
There are several different methods of delivering one-time codes to you. These include:
- SMS-Based: A code is texted to a phone number on file for you
- Phone-Based: You receive a phone call with the code in it (rarer)
- Email-Based: You receive an email with the code in it
- App-Based: You add your account to an app like Duo or Google Authenticator and it generates codes for you
- Token-Based: You have a physical token like a Yubikey or RSA SecurID that handles authentication
The Issues with SMS-Based 2FA
If you visit pretty much any website that offers two-factor authentication, SMS-based 2FA is probably an option. However, the National Institute of Standards and Technology (NIST), the US government agency that (as part of their job) provides guidance on security topics, said that organizations should stop using it way back in 2016.
The reason why SMS-based 2FA is deprecated is because there are so many ways to break it. A list of possibilities includes:
- Phone Number Porting: For high-profile or valuable accounts, hackers will contact the victim’s cellular provider and request that the number be ported to a new service under the hacker’s control. All they have to do is guess the verification questions (which are usually weak). As a result, they own the number and can intercept SMS codes (and calls, texts, etc.).
- SIM Hijacking: A similar attack to porting is when the attacker goes into the cellular provider’s store and requests a replacement SIM card for the victim’s number. By completing the verification steps (or bribing the underpaid clerk), they can get the only SIM card for that number. As a result, all of the victim’s 2FA codes (and all other calls and texts) go to the hacker instead.
- Online Portals: Many cellular providers let you check your text messages from the Internet. Many people use weak passwords or reuse them, making this a viable way to get the 2FA codes.
- Phishing: Attackers will set up phishing sites or send text messages to the user that are designed to get them to send their 2FA codes to the attacker. This theoretically can work on any 2FA system.
- Malware: Malware installed on your smartphone can read your SMS messages. Did you really check the permissions before installing that app?
- SS7 Network: The SS7 network is the system used to send SMS messages to phones, and it’s known to be insecure. Hacking the SS7 network allows attackers to read your 2FA codes while they’re en route to you.
Still feeling confident that your SMS-based 2FA system is keeping you (and your users) safe? SMS-based authentication is better than nothing, but, since there are better options available, it’s probably a good idea to switch to them whenever possible.
Securing Your Accounts
Two-factor authentication can be a powerful tool when securing online accounts. The massive number of recent data breaches and the fact that users commonly use weak passwords and reuse them across accounts means that passwords are not enough to keep us safe. 2FA is necessary to close the gap.
However, SMS-based 2FA is unreliable for a number of reasons. This has impacts to us both as individuals and as organizations. Whenever possible, individuals should opt for a stronger form of 2FA when it is available (and request it when it isn’t). Organizations should roll out more secure 2FA options both for external (i.e. customer accounts) and internal (i.e. employees) use to better protect their resources and sensitive data.
Organizations should also consider a data security solution for protecting their sensitive resources. 2FA systems not based on SMS are a good starting point, but even they can be defeated by phishing attacks. A data security solution with the capability to differentiate legitimate users from attackers with legitimate credentials can be a major asset to an organization’s cybersecurity strategy.