
It’s time to ditch SMS-based 2 Factor Auth - dend
https://dennisdel.com/blog/ditch-sms-2fa/
======
payne92
Security is relative; there is no absolute security.

SMS 2FA is not perfect, but it's MUCH better than what it replaced (nothing).
ANY system with a human component will be at risk to social engineering
attacks; not just SMS-based methods.

And shifting the attack surface to depend on social engineering (SE) adds
important rate limiting; it's difficult to automate SE attacks.

Friction is also a critical factor: a low-friction B+ security solution may be
better than a high-friction A+ solution. Consider total risk, not just point
risk.

SMS 2FA is like a CFL lightbulb. It's 10x better than what it replaced, it's
what we have now, but we know it's not the endgame (LED lighting).

~~~
osteele
What you say is true of actual 2FA, which only adds security. (Unless, maybe,
you take into account risk compensation[1], which is probably magnified when
SMS 2FA is less secure than users think.)

However, SMS “2FA” is often used to mean SMS-based _password reset_ , where
SMS can be used _instead_ of the password. With SMS-based password reset, SMS
_subtracts_ a factor (EDIT: or divides by two[2]?), instead of _adding_ a
factor as in 2FA.

This is the case with the OP article. The text of the article is unclear about
whether it means 2FA or password reset, and the title does include the term
“SMS-based 2 Factor Auth”. However, the example issues that the article links
to are all cases of password reset, not 2FA.

[1]
[https://en.wikipedia.org/wiki/Risk_compensation](https://en.wikipedia.org/wiki/Risk_compensation)

[2] I propose that SMS-based password reset be called “Half-Factor Auth” (HFA
or ½FA), to distinguish it from 2FA.

~~~
dend
You are right, it's mostly password reset 2FA (often times it ties into auth
SMS 2FA, so not necessarily mutually exclusive) - I will update the article
and clarify that.

------
eksemplar
If you want me to swap from SMS two-factor you need to come up with something
that’s as easy to use and restore when I drop my phone in the toilet, change
my email and what other silly user mistakes I’ve lost my f2as to.

~~~
notheguyouthink
I know it's not easy for grandmas/etc, but I personally love classic TOTP
solution. It's stupidly simple to backup[1], works on all my devices - even my
desktop if I want, and is completely secure[2].

It's a shame so many people have no clue you can _(and should, imo!)_ backup
your TOTP key.

[1]: just copy the string and store it however you want. [2]: as far as I'm
aware. I'm not a security professional, of course.

~~~
saganus
Whenever a 2FA or TOTP article comes out, I ask if anyone knows of a hardware
dongle/token/card that can store several TOTP keys so that I can stop using my
phone for 2FA (e.g. Google Authenticator).

I've only found the Protectimus Slim NFC [0], which would be my ideal solution
except it only holds 1 key.

If it could save say, 100 keys (or even 50 maybe?), I would buy 3 or 4 in a
heartbeat. It would be great to have stronger 2FA than SMS, but with the peace
of mind of not having to worry about the phone.

I'm definitely not a hardware guy, but I can't believe such a solution doesn't
exist yet. It doesn't seem like it would be hard to build, right? I mean, you
just need a very simple processor, a real-time clock, a display and an NFC
module for reprogramming (or maybe micro-usb?).

Does anyone know of any products like the Protectimus but supporting multiple
keys?

[0] [https://www.protectimus.com/protectimus-slim-
mini](https://www.protectimus.com/protectimus-slim-mini)

~~~
davchana
You can manually save TOTP key in a keepass db on any usb, and even anywhere
else too.

~~~
saganus
Yeah, I actually already do that, but it's not the same as having a Google
Authenticator in hardware in terms of convenience.

------
kerkeslager
Okay, this is a real problem.

That said, I think there's some tendency here to view security as binary:
secure or not secure. In fact, SMS 2FA is far more secure than single-factor
authentication with only a password for most users. I generate strong, unique
passwords[1] for every site and store them in a password manager[2], so I have
fairly strong guarantees that my passwords aren't likely to be broken. But how
many users do this? I'd guess that the average user still makes at least one
of the following mistakes:

1\. Using the same password for their social media account, their bank, and
Joe's totally-not-a-password-collection-scheme website.

2\. A password containing a combination of names, birthdays, favorite quotes,
or something similar which is easily broken through social engineering.

3\. Short passwords with low entropy that are easy to brute force.

4\. Back up authentication methods such as security questions or personal
information which are basically passwords, but unchangeable and used by many
sites (best friend in high school, mother's maiden name, SSN).

Passwords, as they are used by average people, are extremely, extremely
insecure, and the fact that SMS 2FA is insecure for completely different
reasons means that the combination of the two provides a real improvement in
security over simply continuing to use single factor auth methods.

I'm not saying that we should keep rolling out SMS 2FA as if it's the best
solution. But if a company rolls out SMS as a second authentication factor in
addition to passwords, we should at least thank them for improving security
before asking for better secondary factors. If all we do when we see SMS 2FA
is complain to the company without recognizing that SMS 2FA _is_ better than
what was there previously, it sends the wrong message: that security-conscious
consumers will never be happy and it's not worth catering to them.

[1]
[http://world.std.com/%7Ereinhold/diceware.html](http://world.std.com/%7Ereinhold/diceware.html)

[2] [https://keepass.info/](https://keepass.info/)

------
helipad
As a user I find SMS-based 2FA much easier to use. It's a tough challenge to
make authentication both secure and user friendly.

I've recently appreciated the Google and Facebook iOS apps just letting you
tap 'Yes' to confirm identity. It still requires me to go and find the
relevant app on my phone, but it's relatively low friction. Much better than
Google's own Authenticator app. How secure is that method?

~~~
packetized
Any ‘push’ method to an app will end up being more secure than pure SMS 2FA,
because it’s relatvely hard to MITM/hijack it, unlike social engineering your
way into porting a cell number.

~~~
Spivak
If you're at the point where your biggest threat is a SE attack on a major
cell provider I think you're doing pretty good with security.

~~~
jkaplowitz
I used to agree, but those attacks are pretty easy to do and have been
reported on this site many times. Whereas the other solutions described in the
post don't have that attack vector.

~~~
Twisell
Well it however come with a big con, you become dependent of a third party
implementation with dependencies and specifics rules whereas sms is amongst
the most used and understood communication standard.

This blog post publicise Microsoft implementation but it’s the same
problematic for every possible GAFAM specific solution.

Apple approach to include a secure and synced password manager in all their
product is far more standard friendly approach imho.

~~~
jkaplowitz
TOTP codes like Google's and Microsoft's apps can use, as well as the U2F
security keys, are standardized with multiple implementations in existence. No
lock-in with those solutions.

------
whoisjuan
The problem that I have with Authenticator Apps, is that they are a usability
pain... In order to get the code, I need to abandon my current context, open
the app, copy the code, go back and then paste the code.

With an SMS I just need to wait a couple of seconds and the notification comes
up. I don't have to abandon the app or switch context.

That's why I always choose SMS over the other 2FA options. It could be less
secure but in the bigger context is still adding a second layer of
authentication and is far more convenient than using the authenticator apps.

~~~
elahd
Bitwarden (password manager) automatically copies the one time pin into the
clipboard when you use the password autofill function. It's great for keeping
context. Use autofill, then tap/click the OTP text box and paste in the code.

With that said, I'm not sure it's the best idea to store 2FA and passwords in
the same system, but it is pretty convenient.

------
deadghost
As someone that is expat / travels a lot, can you please make this stuff
optional or give me options other than SMS? I keep getting locked out of
everything. I despise SMS 2FA.

~~~
ossguy
You could use [https://jmp.chat/](https://jmp.chat/) for your phone number -
with JMP your phone number is accessible whenever you have Internet,
regardless of which wifi/carrier you're using. That probably gives it a few
other advantages for a frequent traveller like yourself, aside from avoiding
the account lockouts you mentioned.

------
babalulu
The problem with moving away from SMS authentication is that not everyone in
the world has a smartphone or is able to use something like a Yubikey. SMS is
the lowest common denominator that allows most people in the world to use 2FA.
If you require 2FA and don't allow SMS, you cut off access for a lot people,
including the poor and likely the elderly.

~~~
JeanMarcS
I was going to say something like that.

If official websites (tax, banks, etc...) start to use app 2FA, people with
only a mobile phone will have to use, what, physical mail ? Or will they have
to go to buildings in person ?

I agree that the more secure the better, but we mustn’t stop thinking of a big
part of population that can not afford smartphones (or key or whatever). Same
problem for non technical persons.

~~~
Spivak
Why worry about people affording it? TOTP hardware keys are super cheap, just
give them out to people without phones at the local BMV. There are some that
are credit card sized and one battery lasts 5+ years.

Alternatively there are a number of desktop based 2FA clients:

\- Authy \- GAuth \- JAuth \- WinAuth

~~~
always_good
The thing you're missing is that you're still at the mercy of the
establishment with which you're authenticating. Just like how my
1024-character banking login password doesn't stop my bank from giving someone
else my debit card.

To suddenly arm a bunch of people with a new authentication paradigm like
hardware keys would just result in a lot of people losing them and then having
to go through the establishment's reauthentication channels anyways, which are
the weakest link in these systems. And the influx of people needing account
resets further degrades the security of the channel the same way you stop
asking to see IDs when customers are paying with credit during the lunch rush.

It's not a free lunch.

------
kerkeslager
Approaching this a different way, this is the same problem as with passwords.
If you use the same password for every site or the same phone number for every
2FA SMS, then only one password/phone number has to be compromised for a
massive escalation in privilege.

This problem is much easier to solve with passwords: you simply generate
different passwords for everything and store them in a password manager.
However, you can't (easily) generate a new phone number for every service that
requires SMS 2FA, and if you could, all the phone numbers available would be
used up quickly.

~~~
platz
> If you use the same password for every site or the same phone number for
> every 2FA SMS, then only one password/phone number has to be compromised for
> a massive escalation in privilege.

> store them in a password manager

using your logic, only one (master) password has to be compromised for a
massive escalation in privilege.

~~~
kerkeslager
> using your logic, only one (master) password has to be compromised for a
> massive escalation in privilege.

No, if you got my master password somehow, you'd also have to gain access to
my thumb drive or backup hard drive where I have the password database.

That can definitely be done; I have no illusions about the impenetrability of
my personal security. But there's a very large incentive for hackers to
compromise large databases of passwords from popular websites, and very little
incentive for them to compromise my personal password DB.

Additionally, my master password is the strongest of my passwords, with about
124 bits of entropy, so this narrow point of failure is strong relative to my
other passwords. The strength of security at the various websites I use is
unknown, and if I use the same password for all of them, only one has to fail
for my password to be exposed. Obviously it's still possible that my password
could be collected by a keylogger or some such, but that's a lot less likely
than that one of the 100+ websites I've ever put a password into gets
compromised.

This has been fairly thoroughly discussed ad nauseum elsewhere--the argument
you're making has been made and debunked many times, so let's not rehash tired
arguments.

~~~
developer2
A hack against your password manager isn't going to be targeted at you as an
individual. It will happen to one of the major companies who develop the
software. The security of the product is only as good as the weakest link at
the company.

Where is their source control stored - GitHub? How strong are the passwords of
the developers (and managers, etc.) who have access? Do _they_ use two-factor
auth? How easy is it to social engineer one's way in, and add a commit to the
app so that the next release decrypts all credentials and sends them to the
hacker's remote endpoint? It's probably 3-5 lines of code to sneak in. The
possibility of a "disgruntled/ambitious employee" exists, too.

There's also the browser extensions. I know web extensions are sandboxed, but
does that include preventing a malicious extension from capturing the
keystrokes from your password manager's master password text box? Each of
these companies also has a website UI where you can view/manage your
passwords; they load data into local storage - thus not being decrypted on the
server side - but these are still vulnerable to cross-site scripting attacks,
etc.

I think it's inevitable that one of the major password managers will wind up
being compromised. Such an event would be catastrophic.

~~~
kerkeslager
Sure, it's possible to use a badly-designed password manager, such as using a
centralized or closed-source password manager. I'd say this is still more
secure than using the same password everywhere, because it only involves
trusting one entity with the keys to everything, rather than trusting multiple
entities with the keys to everything. But it's definitely a bad security
practice.

The password manager I use is KeePassX. In both the KeePass and KeePassX
varieties it stores the passwords locally, so the only vulnerability you
mentioned that it's vulnerable to is that malicious code would get into the
source. One would hope that this would be caught by auditing, but of course
it's always possible it wouldn't be. However, this is a only a possibility:
it's guaranteed that one of the sites I log into with a password will leak
that password at some point. So using KeePassX is definitely safer than using
the same password everywhere.

> I think it's inevitable that one of the major password managers will wind up
> being compromised. Such an event would eclipse the Equifax breach.

Sure, if it's one of the password stores that stores its passwords centrally.
But that idea is so backward that I barely consider such systems to be
password managers--I'd file those under the "Joe's totally-not-a-password-
collection-scheme website". The simple answer is _don 't use those_.

If it's one of the password stores that stores passwords locally, then it will
only leak passwords of users who update their password store software between
the breach and when the breach is discovered.

You can come up with scenarios where any password scheme will be broken if a
user does completely the wrong thing, like posting their password publicly.
That doesn't mean password managers are a bad idea, it just means there's no
such thing as an idiot-proof security system.

------
latortuga
My 401k provider recently rolled out 2FA for all accounts. It's mandatory and
SMS-only. From the user-side, is there anything I can do short of complaining?
Anyway to "convert" to a non-SMS version?

~~~
gruez
use a third party service for sms like google voice, or jmp.chat. yes, it just
shifts the problem from your telecom company to a third party, but at least
those providers have stronger authentication (google has totp/u2f, and
jmp.chat has whatever your xmpp server provides) than what telecoms have.

~~~
djrogers
That solves nothing - the SMS is still subject to all of the same potential
issues as one tied directly to a cell phone.

~~~
gruez
specifically what? i already stated google voice and jmp.chat both have better
authentication and 2 factor options than most cell carriers, are they're
probably harder to social engineer. since they're internet based, they aren't
vulnerable to SS7 exploits. I'm sure if you tried hard enough, you could hack
them as well, but at least it raises the difficulty from anyone who read a
social engineering guide to nation state or an APT.

~~~
lmns
> since they're internet based, they aren't vulnerable to SS7 exploits.

I think the problem with SS7 is that there's no authentication between
providers. At least as far as I know.

~~~
gruez
afaik the ss7 exploits essentially involve a rogue carrier saying "hey
verizon, your client 212-555-1234 is roaming on my network, plz send all his
calls/texts to me". i don't think this attack applies to non-mobile providers
because there's no roaming. and unlike the internet, there's no bgp-like
system[1] for "announcing" phone numbers. it's all centralized, which should
reduce your attack surface from every telecom in the world, to the originating
telecom, whoever's in charge of the numbering database, and your carrier.

[1]
[https://en.wikipedia.org/wiki/Local_number_portability#Porta...](https://en.wikipedia.org/wiki/Local_number_portability#Portability_schemes)

------
rhacker
Even the largest companies are not thinking through this carefully enough.
When Google wants to verify a login, my android phone comes up with a special
proprietary Google prompt. Seems nice, but let's look at the flip side. Apple
does this too, and about 5 years ago I had an iPhone. Recently I tried to
download apps on my mac - and it suddenly required a password - so I tried a
bunch of different things I probably had. Nothing was working. I got to a
screen to reset the password, and they have a correct working email address
for me. Except instead of offering reset via email, there is a prompt for my
security questions. I checked my keepass entry for my security questions -
SHIT I forgot to record them :( (my mother's maiden name is something like
SDFDS$%FE#23 to Apple). So now it leaves me with one more option -
authenticate via "..."'s iPhone! I'm thinking great! I will get a text message
on my android in a few minutes (since the number is the same). No luck -
suddenly I realized that "reset via iphone" means that a special app on my
(smashed with a rock-hammer) iPhone will never ever be able to run.

Apple please listen.

~~~
will4274
> security questions

Security questions are a generation of security behind TFA. Everybody was born
in the big city closest to their Facebook hometown and your teachers' names
are all in the online version of the yearbook.

Apple is a hardware company. Google is a consumer cloud services drvien
advertising company. It's no surprise that Google's cloud security is decent
and Apple terrible.

------
nayuki
Phone-number-based two-factor authentication almost locked me out of my PayPal
account. The account was registered to my home phone in Canada, but I was
traveling in Asia. When I tried to log in from my seemingly suspicious new
location, PayPal required a confirmation by calling my number and announcing
some digits. Very fortunately my home phone used Voip.ms, so I was able to log
on to that account and redirect the call to the physical phone I had on hand.
Ideally I would decline phone 2FA because my home phone or cell phone number
could become unusable and lock me out of accounts.

------
aviv
It is incredibly simple to take over the SMS functionality of any phone number
in the US. It's crazy how easy it is.

~~~
PeterisP
That's a true problem, and one that needs solving even if SMS isn't used for
2FA.

It's worth noting that this is one more case of a USA-specific problem caused
by inability of commercial providers to securely verify identities of people;
the same thing is much more difficult (though still possible) and thus very
rare elsewhere.

------
tofflos
Just throwing in a argument against hardware keys like Yubikey compared to
SMS: Phones are good in that that their owners depend on them and will notice
that their phone is missing in a relatively short period of time. Whereas lots
of people will have no qualms lending out a hardware token indefinitely in
order to help a colleague.

It might not tip the balance all the way back so that hardware tokens end up
being worse for security - it just goes to show that security is complicated.

------
neo2006
Security is always based on some secret that the user need to understand it's
vital to not reveal or share. So, if people using 2fa or password reset by sms
do not understand that the secret sent by sms is not to be shared there is
nothing that people who implement security can do. On the other side from
technology point of you phone number spoofing is more or less hard to achieve
depending on the operator you subscribe with. Some have specific anti spoofing
features in there sms platform other don't. Anti spoofing include verifying
the source cell, IP (in case of sms over IP)...

------
franky47
A company which requires your phone number for 2FA can also use it for
monetization, if it's in their T&C (that you read before accepting, of
course). Like selling it to advertisers, using it for targeted promotions and
whatnot. Another reason to ditch this transport system.

2FA is about combining a thing you know (password) with a thing you have
(physical device like a card reader for banks, but usually phone because
easier to access). But you can also use something you are (fingerprint/face
recognition), although that comes with another entire set of issues (like
sending your biometrics to a server).

------
ttul
The big advantage of Fido U2F is that the token authenticates the web site
before generating the response necessary to authenticate the user.

This means it’s impossible for an imposter web site to man in the middle the
U2F token.

~~~
gruez
>This means it’s impossible for an imposter web site to man in the middle the
U2F token.

[https://news.ycombinator.com/item?id=16501400](https://news.ycombinator.com/item?id=16501400)

~~~
ttul
Well, that's a cheap shot. It's a very sophisticated attack and assumes the
user is dumb enough to click a dialog allowing direct access to their USB
device. Many users are indeed that dumb.

So my second come back is to say that the Chrome team is working on a fix for
this and that only certain U2F keys are vulnerable.

------
ufmace
I would agree that SMS 2-factor isn't as secure as we would like, but the OTP
and app-based alternatives have their own problems. They're much harder to
remotely exploit, but the procedure for how to recover your account in case of
sudden loss of your phone is a big hole. It's too common for phones to be
stolen, lost, damaged, or corrupted with no warning, and then you need a
recovery procedure that isn't just as vulnerable to malicious exploitation as
any of the others.

------
arglebarnacle
I was the victim of a relatively sophisticated attack that took advantage of
the weakness of SMS-based 2FA.

The attacker cracked the relatively weak password on my Verizon web login and
enabled a "feature" that synced all my SMS to desktop, which they then used to
break into a 2FA protected Yahoo email account. I saw the tokens come across
and ultimately no financial damage was done, but suffice to say I moved as
much of my 2FA over to authenticator apps as I could.

------
peterwwillis
This is a really bad article. I agree SMS-based 2FA should go, but this
article does next to nothing to explain the pros, cons, alternatives, and how
reasonable each is.

~~~
dend
Good feedback, will take that into consideration when writing the next
article. I tried to keep it short and to the point, but likely there is some
room for more detailed breakdowns.

------
philfrasty
I think another important point is device separation in general. Vincent
Haupert is talking about this in the context of mobile banking apps during the
last CCC:
[https://media.ccc.de/v/34c3-8805-die_fabelhafte_welt_des_mob...](https://media.ccc.de/v/34c3-8805-die_fabelhafte_welt_des_mobilebankings#t=444)

~~~
DennisP
The summary via google translate is intriguing. Is there more information in
english somewhere?

~~~
philfrasty
CCC has all their media in English as well. If you click the little settings-
wheel on the right side of the screen, you can select English.

------
maxehmookau
No. No it's not. If you're making software for the wider-public you can't
demand people download a special app for it. Or even understand what a 2FA
code is.

SMS is the only way, so far, to make 2fa adoption fast amongst everyone.

~~~
dend
Not quite true - smartphone market penetration is quite large, so it is
possible to reliably offer a universal app (see: MS Authenticator, Google
Authenticator, Authy) for code auth. Now, sure, you can argue that SMS should
be kept as an _option_ but it should never be the only one.

------
z3t4
As a replacement you can send your users a One-time pad, like a scratching
lottery ticket. Or a digital "dumb" device loaded with an encrypted private
key. You can also use a browser client certificate.

------
ksec
SMS 2FA has problems in US. But as usual they made it sounds like every mobile
network in the world has it vulnerable.

For places where your SMS is relatively safe, SMS 2FA is the current best for
average home user.

~~~
rphlx
The US is particularly bad but there is no nation in the world where the
telecom system is entirely secure against all threats. SMS adds an unnecessary
trusted third party to 2FA, something that really should be a two-party
system.

------
thatgerhard
It's time to ditch sms completely. If its important the network can use OTA to
get emergency messages to you. But receiving anything with your number should
be removed.

~~~
gambiting
Why? That's dumb. SMS and MMS messages work perfectly fine and are a super
easy option to communicate that works almost always, no matter where someone
is located. My mum almost exclusively uses SMS to send me messages, because
she can't figure out email on her phone(and I've tried to teach her for the
last 10 years, with zero success). So I keep using SMS with my mum - and you'd
want to remove it? Why?

------
u801e
I wish websites would support 2 factor auth via a client side TLS certficate
along with a username and password login.

Email and SMS based 2FA shouldn't be the only choices.

------
cypherg
That time was at least 2-3 years ago. If you're ditching SMS 2FA today, you're
probably one of the last people to do so.

~~~
djrogers
That’s far removed from he real world - many many consumer facing companies
are just now rolling out 2FA, and many of them are SMA based. Think banks,
credit unions, utility billing, etc...

~~~
cypherg
US-CERT and NIST, with the speed of a massive government, declared SMS 2FA
dead back in 2016. The security world moved on from SMS long before that.

------
alexnewman
pass for ios can do the google authentication role while being much easier to
manage and secure

------
tomc1985
SMS 2FA is great!

Until my phone gets stolen :(

------
somehnreader
As a twilio shareholder I would like to please encourage everybody to
implement 2FA via SMS!

