Actually we have known literally for years, maybe over a decade, that SMS-based two factor is insecure and prone to phishing... that's the point of TOTP/shared secret based two-factor auth...
(Edit) Just to point our, here I talk not about possibility of sms interception - I'm talking about sms intercept that DID happen in 2016 and is widely publicised and have a lot of sources, including timeline of this event and comm with the mobile service provider(albeit, this info is mostly in russian)
Who else but the "tech crowd" implements SMS 2FA on these websites? What does it say about our industry if we're pushing solutions we know to be flawed?
The tech crowd isn't implementing SMS 2FA for fun. They're doing so because the manager is like "wait what! they'd need to install an app? but we can just use SMS! I don't care what you say about it being insecure, it's still more secure than not having it!"
What's the fix? I mean for fucks sake, naming & shaming companies doesn't ever work for security stuff. It doesn't even work for getting https on login forms; it's not like it's easy to push through the nuances of SMS 2FA's security issues.
Or even tech stuff in general. I just moved to Belgium and half the national services here don't know how to dial an international phone number, don't support + or 00 at the beginning of phone number inputs, etc. There is no end to how technologically illiterate services can be. And yet, it's still "the tech crowd" implementing all these things.
We need to find a way to push these obvious fixes through, but as far as I know, short of reporting the issue and crossing your fingers someone relevant hears it, it's not possible.
I wouldn't want to try to formulate that into concrete legislation, though. It would be an enormous change, and I'm not sure what we'd end up with if we tried that.
It would seem push notification style 2FA ala icloud/gmail/Duo/blizzard is the better solution but that also opens up a vector for users who simply accept every push notification request.
U2F would seem better than both those options but alas that can still be lost or stolen and compromised before access can be revoked.
If you want phishing protection, use U2F.
Though it is still worth considering SMS insecure due to the many other pitfalls that aren't phishing, where TOTP fairs a bit better. Still, I wish more stuff supported U2F.
I think an article should be written like this:
"There isn't a security measure that exists short of locking a computer in room with a keyless door and no external connection that is completely flawless to hacking, there are just varying degrees of computer security and 2FA happens to be safer than others".
- Someone porting away your phone number from your wireless provider
- The ease of confusion of a txt message asking you to send a generated OTP (e.g. you're more likely to forward a OTP generated from a SMS to another SMS, than you would from a TOTP generator)
- Wireless provider can theoretically read the message in transit (or backdoor code, whether from a gov't agency or a malicious actor acting on behalf of the wireless provider)
Those are just 3 I can think of off the top of my head...I'm sure there are more.
2fa apps like Authy are also at risk from fraudulent interstitial sites that capture your user ID, password and Authy code, authenticate with the legitimate site, and allow the fraudster to control your account.
Really the only secure 2fa is a hardware token.
So while I do agree with you that hardware tokens are best, it's a mistake to lump SMS in with other forms of 2FA from a vulnerability perspective.
But both TOTP and SMS are phishable, and moving from SMS to TOTP is not a meaningful anti-phishing defense.
U2F and Webauthn resist phishing using a form a mutual authentication, which is why security keys actually do resist phishing, and why Google switched to them and away from TOTP.
My point being that at least with phishing attacks the end user can prevent them by paying attention. With SMS 2FA, even if the end user does everything right they are still open to getting hacked. For example, a bunch of people had their Bitcoin stolen when bad guys convinced the phone company to change number ownership.
I've never seen an article so imprecise. 2FA protects against account takeover, not from phishing. In fact, most of 2FA mechanisms are affected by phishing, and that's why there are security keys with U2F and now FIDO2, that seem unknown to the writer. I'm surprised to see such a poor quality writeup from the NYT.
Any security solution is only as strong as the weakest link and needs to be evaluated on an end-to-end basis. A secure lock with properly installed screws is surely useless if installed on a screen door, or a window is habitually left open near the secure lock door, or keys to the secure lock with the address and PIN number written on them left in public places.
The article reports that Google internally switched from TOTP, but doesn't report what Google switched to: U2F.
The article describes, in some detail, how TOTP and SMS two-factor authentication can be phished, but doesn't describe a two-factor authentication method that is quite a bit harder to phish: U2F.
There is a pattern here, and it is puzzling, to say the least.
EDIT: Changed "phish-proof" to a more realistic adjective.
This argument does quickly devolve though; if an advanced persistent threat is taking an active interest in you the only technique that is even close to effective is to cut out as much technology as possible; Bin Laden or Unabomber style
The paper from website of CS Prof. Alan Mislove:
Are HN readers concerned about having to disclose more and more PII to advertising companies in order to be "authenticated"?
Recently I heard someone being interveiwed on the radio who studies internet privacy and he was talking about this type of authentication. He was arguing it is problematic for privacy in that it requires the authenticating party to always have "one more" item of PII.
He suggested that the PII disclosure requirements would only keep esacalating and eroding privacy until the user has to "jump through her phone" to prove she is who she says.
I would provide a reference but I did not get his name. Maybe this sounds familiar to someone? Who knows, maybe he reads HN.
So, an authentication method that:
- Is without dedicated hardware, as hardware is expensive, difficult to distribute and if it's a USB there is no guarantee that a user has a laptop.
- That functions on feature phones (yes, they are still out there), or at the least phones without biometrics, as most don't.
- That doesn't require the user to do anything extremely complex, as ironically this is the part where a lot of fraud occurs.
Eg During a mobile banking rollout, customers were asked to register their phone number at an ATM. However many customers of the bank weren't familiar with ATMs (they banked at branches) and the people they requested help from linked their own phones and stole their cash.
U2F protects against phishing.
FIDO and U2FA is addressing this, but it needs browser support. And Google Chrome had some bad bugs in their WebUSB implementation that allowed any site to read keys - not sure if all those issues are addressed by now.
Also there are lots of use cases where there just doesn't seem to be any more practical option for developers. For example, a second factor of authentication for financial transactions where the requestor only has a feature phone. Or the far more common scenario - where the practicality of rolling our hardware dongles, custom authentication applications is just too difficult/expensive.