Why You Shouldn’t Use SMS for Two-Factor Authentication

Here we can see, “Why You Shouldn’t Use SMS for Two-Factor Authentication”

Security experts recommend using two-factor authentication to secure your online accounts wherever possible. Unfortunately, many services default to SMS verification, sending codes via text message to your phone once you check-in. But SMS messages have tons of security problems and are the smallest amount secure option for two-factor authentication.

First Things First: SMS Is Still Better Than No Two-Factor Authentication at All!

While we’re getting to lay out the case against SMS here, it’s important we first make one thing clear: Using SMS is best than not using two-factor authentication in the least.

When you don’t use two-factor authentication, someone only needs your password to sign in to your account. However, once you use two-factor authentication with SMS, someone will be able to acquire your password and gain access to your text messages to realize access to your account. Therefore, SMS is far safer than nothing in the least.

If SMS is your only option, please do use SMS. However, read on if you’d like to learn why security experts recommend avoiding SMS and what we recommend instead.

SIM Swaps Allow Attackers to Steal Your Phone Number

Here’s how SMS verification works: once you attempt to check-in, the service sends a text message to the mobile number you’ve previously provided them with. You get that code on your phone and enter it to check-in. That code is merely good for one use.

It sounds reasonably secure. After all, only you’ve got your phone number, and someone has got to have your phone to ascertain the code—right? Unfortunately, no.

If someone knows your phone number and may get access to non-public information just like the last four digits of your Social Security number—unfortunately, this be easy to seek out because of the various corporations and government agencies that have leaked customer data—they can contact your phone company and move your phone number to a replacement phone. This is often called a “SIM swap “and is the same process you perform once you purchase a replacement device and move your phone number to that. The person says they’re you, provides the private data, and your phone company sets up their phone together with your phone number. They’ll get the SMS message codes sent to your phone number on their phone.

We’ve seen reports of this happening within the UK, where attackers stole a victim’s phone number and used it to realize access to the victim’s checking account. ny State has also warned about this scam.

At its core, this is often a social engineering attack that relies on tricking your phone company. But your phone company shouldn’t be ready to provide someone with access to your security codes in the first place!

SMS Messages Can Be Intercepted in Many Ways

It’s also possible to pay attention to SMS messages. Political dissidents and journalists in repressive countries will want to take care because the government could hijack SMS messages as they’re sent through the phone network. This has already happened in Iran, where Iranian hackers reportedly compromised various Telegram messenger accounts by intercepting the SMS messages that provided access to those accounts.

Attackers have also abused problems in SS7, the connection system used for roaming, to intercept SMS messages on the network and route them elsewhere. There are many other ways messages are often intercepted, including through the utilization of faux phone towers. SMS messages weren’t designed for security and shouldn’t be used for it.

In other words, a classy attacker with a touch of private information could hijack your phone number to realize access to your online accounts then use those accounts to aim to empty your bank accounts, for instance. That’s why the National Institute of Standards and Technology is not any longer recommending the utilization of SMS messages for two-factor authentication.

The Alternative: Generate Codes on Your Device

A two-factor authentication scheme that doesn’t believe SMS is superior because the phone company won’t be ready to give somebody else access to your codes. the foremost popular option for this is often an app like Google Authenticator. However, we recommend Authy since it does everything Google Authenticator does and more.

Apps like this generate codes on your device. Albeit an attacker tricked your phone company into moving your phone number to their phone, they wouldn’t be ready to get your security codes. the info needed to get those codes would remain securely on your phone.

You don’t need to use codes, either. Services like Twitter, Google, and Microsoft are testing app-based two-factor authentication that permits you to check in on another device by authorizing the sign-in in their app on your phone.

There also are physical hardware tokens you’ll use. Big companies like Google and Dropbox have already implemented a replacement standard for hardware-based two-factor authentication tokens named U2F. These are all safer than counting on your phone company and, therefore, the outdated phone network.

If possible, avoid SMS for two-factor authentication. It’s better than nothing and seems convenient, but it’s usually the smallest amount secure two-factor authentication scheme you’ll choose.

Unfortunately, some services force you to use SMS. If you’re worried about this, you’ll create a Google Voice phone number and provides it to services that need SMS authentication. You’ll then sign in to your Google account—which you’ll protect with a safer two-factor authentication method—and see the secure messages within the Google Voice website or app. Just don’t forward messages from Google Voice to your actual phone number.

Top 5 reasons not to use SMS for multi-factor authentication

Using SMS as a further means to authenticate your password is best than nothing, but it isn’t the foremost reliable approach. Tom Merritt lists five reasons why SMS shouldn’t be used for MFA.

Multi-factor authentication (MFA), or as we want to call it, two-factor authentication, is essential–it means you do not believe your password alone for security. Those passwords are some things you recognize, but with MFA, you furthermore may believe other factors, like something you’re (your face, fingerprint, etc.), or something you’ve got, sort of a security key.

SMS is the most often used additional factor because almost everybody has it. It is a little easier to manage for developers, but it is also the smallest amount secure. While it’s better than nothing, it’s far more secure to use an authenticator app or a physical security key. Here are five reasons to not use SMS for MFA.

• SMS and voice calls aren’t encrypted. Instead, they’re transmitted in clear text, making them easier to intercept. In addition, determined attackers have access to many tools, from software-defined radios to FEMTO cells to SS7 intercept services.
• SMS codes are susceptible to phishing. A tool called Modlishka uses actual content from the location it’s mimicking to urge you to enter your info and dumps you out there on-site at the top, so you do not even realize you were there. CredSniper and Evilginx are similar phishing tools. A YubiKey or similar isn’t susceptible to this attack.
• Phone company employees are often fooled. For example, attackers can trick an employee into transferring a phone number to the attacker’s SIM card, meaning the safety codes get sent to them rather than you.
• Outages. Authentication apps and security keys work offline. SMS needs the phone company to be available to figure, and sometimes the phone system can go down when the web doesn’t.
• SMS isn’t likely to urge safer. As multi-factor authentication becomes more common, more attackers will target it. Attackers usually target the weakest link in security, and with MFA, SMS is the weakest link.

All that said, if SMS is your only option, use it! Having SMS as multi-factor authentication remains better than having no other factors and just counting on a password. If you’ve got the choice, you would possibly want to travel with an authentication app or, even better, a security key, sort of a YubiKey.

User Questions:

1. Why is SMS bad for 2FA?

But the default 2FA option is typically SMS—one-time codes texted to our phones, and SMS has infamously poor security, leaving it a hospitable attack. SMS attacks either compromise phones/phone numbers or the messaging centres themselves within mobile networks.

2. Can SMS OTP be intercepted?

Most online transactions require two-step authentication. Therefore, the One-Time-Password (OTP) sent by SMS is usually one among those two steps. A secure app will intercept an SMS OTP to facilitate transactions and make them fast, and a malicious app will intercept it to commit banking fraud.

3. Is two-factor authentication necessary?

Two-factor authentication does improve security, but it isn’t the answer altogether in cases. Adopting the incorrect 2FA solution can burden users with little security benefit. Understanding your users and, therefore, the security threats you face is the key to a successful two-factor authentication deployment.

4. PSA: Don’t use SMS-based Two-Factor Authentication if you’ll avoid it

PSA: Don’t use SMS-based Two-Factor Authentication if you can avoid it from tmobile

5. YSK that enabling “2-Factor Authentication” is your best defence against hackers and bots

YSK that enabling "2-Factor Authentication" is literally your best defense against hackers and bots from YouShouldKnow