I think the worst is when companies force you to leave SMS on as a fallback.
On stripe, I use a security key. Someone has to either steal my keyring, or steal my backup key.
But I'm force to leave SMS on as a fallback, so really, the weakest link is there, and a potential cracker only needs to break this extremely fragile insecure system, and completely bypass the security key.
So is stripe liable for your account being compromised due to SIM hijacking? The telephone companies claim they're not liable, and you certainly aren't liable, so who is?
This smells similar to banks not needing to check check signature anymore.
Even worse is when companies force you to use SMS as the first and sufficient authentication factor. EDF (the biggest European electricity provider) does that in France.
SMS 2FA is weak, but it does two things: it shifts the attack from a passive opportunistic one to a targeted one, and, 2. in unionized environments you can add a second compliance factor without distributing new devices, "training" people to use TOTP apps, or "forcing" people to install an app on their personal devices.
That is the big cultural reason why SMS 2FA is going to be with us for a while. Sure, use TOTP and FIDO tokens for systems people, but for institutions with thousands or tens of thousands of employees, SMS 2FA is still economical and will still be with us 5-10 years from now. It's the new passwords.
The smart thing would be for MSFT/o365 to give you the option to switch to a TOTP token and other authenticators with a better experience so people can switch organically. Most security people still don't distinguish between authenticators and identities, as federation concepts like identity providers are still in the rarefied space of enterprise. Identity isn't well thought out either because it's a legal concept, and like most tech risk and liability, if anyone read the fine print they'd never use it.
SMS 2FA is basically a ritual that allows people to agree to ignore risk.
> it shifts the attack from a passive opportunistic one to a targeted one
This isn't true. You can bulk phish SMS, TOTP and the push confirmation stuff. Software to do this isn't theoretical you can just download it ready to use, because in each case you only need to fool a human into believing this is really their bank/ web mail/ government/ etc.
If you want to get rid of the opportunistic stuff you need technology like WebAuthn that makes it simply not work.
> The smart thing would be for MSFT/o365 to give you the option to switch to a TOTP token and other authenticators with a better experience so people can switch organically.
It already does, both through an app notification using the Microsoft Authenticator TOTP app, as well as through the app-agnostic TOTP method. (Just checked my own settings.) It's just not the easiest thing to find the settings page where you do it, because Microsoft helpfully hides it behind "advanced security options" instead of just putting it next to the "change password" UI like the other major sites do.
> Most security people still don't distinguish between authenticators and identities, as federation concepts like identity providers are still in the rarefied space of enterprise.
Who are you counting as "security people" in this case? I feel like the distinction for that kind of thing has been around for a long, long time, as evidenced by SSH public key configs and Active Directory certificate based login configuration both allowing multiple keys/certs per user, or Github allowing multiple keys as access tokens, etc. If we're talking about OTP keyrings issued by banks to consumers, again I don't think those things have been equated to identity as much as being treated like a second key for a second lock on the same door.
Beyond marketing, I've never understood SMS as the default 2FA over just using a second email as the 2nd factor.
Everyone has a 2nd email, personal + work or school.
You could argue that both emails are probably accessible from an email app on the phone, but if the phone is stolen, then that's no worse than SMS or ToTP apps also on the phone.
You could argue password reuse, but if the address used for 2FA is never exposed to the end user after being set+verified, then the attacker would have no way of knowing the victim's 2nd email address.
Unless the attack is targeted... But if the attack is targeted, then we're back to SMS being vulnerable.
So, what it comes down to is 2nd email as 2FA is more secure and more efficient than SMS out of the gate... (and much cheaper)...
And, if I use a very obscure and otherwise not used email (with its own security + strong password), even a targeted attack has no better chance than a ToTP app on an offline device, like an iPod touch.
So:
- 1st.) ToTP on offline device (most secure, most expensive, most difficult to learn, hard to use),
- 2nd.) 2nd email (can be most secure, cheapest, easiest to learn, easiest to use), and
Why didn't we all default to 2nd email then, instead of SMS as a paradigm? Actually, was used, and still used by Gmail from the beginning (even in conjunction with ToTP now)...
My guess is the most common attacker is someone sitting on a computer in a different country/continent. So:
1) Getting a mobile phone number seems much more difficult than getting an email. It provides some amount of country verification: If a service runs for let's say Danish people, then they can expect the phone number to be a +45.
2) taking over someone's email seems much more easy than taking over someone's phone, since many people reuse same password everywhere, then if you already have the password of the service requesting the OTP, good chance is that you also have the email password. The email address is not hard to find if attacker has password to the first email too. Hoping for security by obscurity (i.e. the 2nd email is now a "secret") isn't great.
3) physical security: without sophisticated attack, SMS can only be received on the actual user mobile phone, even if a phone with no passphrase. "If the phone is stolen" isn't a realistic scenario against a scammer on another continent.
Also from a theoritical point of view: it's a completely different communication channel, so if someone has somehow taken over the first channel (via some malware running on the email client/computer), then they still need to take over second channel.
So for instance, if a USPS snail mail wasn't so slow (or you don't need the OTP code right away), even if really insecure, it'd be better than 2nd email, as it follows same benefits as SMS.
I believe I (+ the paper) addressed counterarguments 1-3, so agree to disagree. But...
> Also from a theoritical point of view: it's a completely different communication channel, so if someone has somehow taken over the first channel (via some malware running on the email client/computer), then they still need to take over second channel.
...is a very good point. Although, (without any data to back up this claim), I would think most users with a compromised device have a fully compromised device.
Edit:
> Hoping for security by obscurity (i.e. the 2nd email is now a "secret") isn't great.
To clarify, that's not exactly the point. If the attacker discovers the value for the phone number or 2nd email (through a data breach), then it becomes targeted, which brings us back to the security of SMS vs email (the parent article).
Specifically, in unionized environments introducing new technologies and methods no matter how seemingly trivial creates an obligation for formal job training. Setting up an hour of training for 5k+ people on how to install and use Auth0 is way more expensive than just sending someone an SMS. There is no implicit responsibility to adapt to change.
If an employer wants employees in a bargaining unit to use their own mobile devices and install a TOTP app on them, employer has to pay, and then the responsibility for it working needs to be established. In normal environments, you just say "we use this here," and users figure it out. If it's organic bottom-up adoption based on the option, it works, but if you impose a change, it creates admin overheads.
That's too broad a generalization. I am aware of unionized environments where the employer uses MFA and expects the employee to bring their own device, and the user is expected to read the online KB documentation in lieu of formal training.
tl;dr -- unions aren't all alike, and don't all bargain over the same issues.
>Email accounts have become, over the years, not only large repositories of highly sensitive and private data, but also single points of failure for digital footprints on the Internet.
This is really the key issue here. Passwords are fine if you give people some place to keep them.
>...it became widely acknowledged that passwords should be highly complex in order to maximize their entropy and, thus, substantially increase the amount of time it would take to crack them.
This is only true if people reuse the same password for different sites. Otherwise the site can rate limit brute force attacks to the extent that even completely trivial passwords are OK.
I dunno, it seems that in most cases second factor auth is not really needed. We need to address the actual problem, not attempt to paper it over by dumping stuff on top. The "let's just let the phone company do the identity stuff" approach is a good example of failing to deal.
MFA wouldn’t be needed in a perfect world, but that world clearly doesn’t exist, despite 50 years of pleading with people to pick good passwords and manage them correctly. At some point you just need to look at the evidence and find another way to accomplish your goals.
Please, no more SMS Authentication. Hacker news readers are in a unique position to prevent this "feature" from entering products. Let's work on putting this idea out to pasture.
TOTP, while not perfect, is an improvement. The protocol could be improved to provide protection against proxy attacks, but the point I'm trying to make is that your regular user can use TOTP. I've successfully set it up for my parents (both closing in on 70years old and are not tech-savvy) and they have no issues using it.
Personally I use a hardware U2F key everywhere I can. With the newest version of Safari Tech Preview _finally_ supporting U2F, I'm hoping we see some deeper market penetration.
I have something like 200 accounts stored in my LastPass account, and my main problem now is that I have no idea which of my accounts use SMS for 2FA. There was a period of time where 2FA was synonymous with SMS, and a further period of time where using a hardware key or authenticator app required setting up SMS first. I'm trying to clean it up, but it's a mess out there. Some accounts require a phone number and don't have an option to disable SMS as a option.
What I would like to see is software U2F keys that browsers sync for you. I'm sure this would upset some people but I don't think the average user has the ability to understand and maintain a set of security keys. Furthermore you have to maintain the keys separately for each site. This means that I only use 2fa for a small number of valuable sites, because the pain of rotating the credentials is huge.
However most people I know have browser sync set up. They are using it for passwords. It would be great if it could manage a security token for them and allow authentication to websites without risk of leak.
I'd love to start recommending hardware keys as a go-to over TOTP but I often find that the cost is not great (taking mostly the Yubikey and Titan into consideration). Especially for people that aren't all that bothered with securing accounts in the first place, they see it as an unnecessary cost.
Same for companies a lot of the time.
Are there any cheaper, but still reliable hardware keys nowadays?
When I researched on the best/popular TOTP apps some years ago, I found Authy being highly recommended. When I tried it, I discovered that it first needs a phone number that it verifies through an SMS code. I promptly removed it and switched to another one (called OTP Auth).
The worst thing about SMS authentication in terms of UX is what happens when you're outside your country. I moved countries recently, but I still need to do things like retrieve tax statements etc. Some companies only support SMS as a second tier authentication method (some at least allow you to use email as an alternative), some won't allow you to change to a foreign number, some will not be able to send you a text if you're in roaming mode abroad (I keep my old SIM active just for that).
I feel like this is an important clarification from the end of the intro:
"This article provides some insight into the security challenges of SMS-based multifactor authentication: mainly cellular security deficiencies, exploits in the SS7 (Signaling System No. 7) protocol, and the dangerously simple yet highly efficient fraud method known as SIM (subscriber identity module) swapping. Based on these insights, readers can gauge whether SMS tokens should be used for their online accounts. This article is not an actual analysis of multifactor authentication methods and what can be considered a second (or third, fourth, etc.) factor of authentication; for such a discussion, the author recommends reading security expert Troy Hunt's report on the topic."
> Regardless of the critical nature of an online account or the individual who owns it, using a second form of authentication should always be the default option, regardless of the method chosen.
Couldn’t disagree more. This is oversimplification of a complex subject.
Capital One continues to only make SMS available for 2FA. I had to close my account(s) with them last year when they refused to allow me to use my wife's phone for this purpose (since I don't have one). Their loss, not mine.
How about using virtual phone numbers (Twilio, Google Voice, etc) for SMS 2FA? Any better than a real SIM for services that don't support other 2FA options?
Should eliminate OTA and SIM swap attack vectors from figure 2.
Not if you are securing your email with a security key and enforcing that you can only access it from devices that meet security guidelines (as is easy to do with Office 365 and almost easy to do in GSuite). Unlike SMS, where you could lock down your phone and take every precaution and an attacker could still compromise your SIM via your carrier.
On stripe, I use a security key. Someone has to either steal my keyring, or steal my backup key.
But I'm force to leave SMS on as a fallback, so really, the weakest link is there, and a potential cracker only needs to break this extremely fragile insecure system, and completely bypass the security key.