In recent weeks, there have been reports of flaws in the SMS (text messaging) protocols that allow attackers to essentially hijack SMS two-factor authentication for accounts they’ve targeted.
This is causing many people to avoid two-factor authentication altogether when SMS is the only option available.
I believe that’s a serious mistake. SMS-based two-factor authentication is still better than no two-factor authentication at all.
Better than SMS
Since SMS does have its flaws, I want to start by pointing out that if you have an option, there are better and more flexible alternatives for two-factor authentication, including Google Authenticator, Authy, email authentication, and more.
This smartphone application generates a code that changes every 30 seconds. When you set up this kind of two-factor authentication, you establish a cryptographically secure pairing between an online service and your phone. When two-factor is used, you simply enter the code currently displayed on your phone when asked. As a bonus, no connectivity is required when using Google Authenticator. Once established, the application runs independently on your device, and as long as the time is set correctly, it just works.
I use Google Authenticator style two-factor whenever possible, but I no longer use the Google Authenticator application. The single biggest problem is that moving to a new phone1 is extremely painful, involving turning two-factor off for each account and then reestablishing it on the new device. Instead, I use Authy. You can use Authy anywhere Google Authenticator is supported. It allows you to “back up” your two-factor configuration, making it easy to move to other devices. You can even use Authy from your desktop, without reaching for your phone at all.
Whenever it’s an option, I enable two-factor authentication using Authy. I currently have 14 different accounts set up this way.
Many services opt for a form of two-factor authentication based on email. When you log in, they send an email message to the email address of record, containing a link you must click to complete the log-in process. The “second factor” is your ability to access that email account.
I’ve seen some services use this technique to actually bypass the password requirement completely, relying on your email address being correct, your email account being secure, and your ability to click the link sent to it to verify you are who you say you are.
The problem, of course, is that this requires the ability to access your email. It’s also not something that can be used as a second factor on your email account, unless it uses a different email address — your “alternate” email address — as the second factor.
Sometimes email can be delayed. If you’re waiting to log in to some service, that delay can be annoying, and at worst can be long enough to invalidate the attempt.
But as long as your email account itself is secure, it’s a perfectly valid way to set up a form of two-factor authentication.
SMS text messaging
When using text messaging for two-factor authentication, you’re texted a code you must enter to complete the log-in process. It’s quick, it’s convenient, and it doesn’t require data connectivity (or even a smartphone). Any device capable of receiving a text message can be used. This technique also transfers to your new phone automatically when you transfer your mobile number to the new device.
SMS two-factor authentication confirms you are in possession of your configured second factor: the device associated with your mobile number…
… except when it’s been intercepted. Here’s where things get complicated.
SMS: the exploit
In order for SMS two-factor to be compromised, three things have to happen:
- The attacker needs to know your username and password.
- The attacker needs to know your mobile number.
- The attacker needs access to a phone company. 🙂
The Naked Security Blog’s article, “Bank accounts raided after crooks exploit huge flaw in mobile networks“, describes how hackers got the first two items via fairly traditional means:
…hackers sent conventional fake phishing emails to victims, suckering them into visiting fake bank websites, where they were told to enter account numbers, passwords and the mobile phone numbers they had previously given their banks.
Accomplishing the third item was a little less traditional:
…the attackers “purchased access to a rogue telecommunications provider and set up a redirect for the victim’s mobile phone number to a handset controlled by the attackers.”
Purchased access to a rogue phone company? Clearly possible, but not the most common scenario around, by far.
SMS: still better than nothing
Let’s say you’ve decided that SMS isn’t secure (because, as we’ve seen, it isn’t completely secure). Further, let’s say your bank or other account provider only offers SMS-based two-factor authentication (they should offer alternatives, but I know some don’t).
So you elect not to use SMS at all.
Here’s the requirement for your account to be hacked:
- The attacker needs to know your username and password.
That’s it. You’ve made it easier for hackers to access your account.
Even though it’s flawed, adding SMS two-factor authentication is better than nothing, because it puts an additional barrier in place that the hacker must be motivated and able to cross in order to access your account. Most aren’t motivated, opting instead for the low-hanging fruit of other accounts with compromised passwords, and most aren’t able. Where does one go to purchase access to a rogue telephone company, anyway?
2FA: still your best defense
Note that with two-factor authentication, hackers can’t access your account even if they know your password.
I strongly recommend using two-factor in one form or another, be it Google Authenticator, Authy, email, SMS, or something else.
In a world of malware, phishing, assorted database compromises, and other perils, two-factor authentication remains a critical way to keep your most important accounts secure.
And maybe even some of those not-so important accounts as well.