Recent news headlines have made security-conscious companies increasingly wary of providing two-factor authentication (2FA) via SMS/voice. Yet while SMS/voice 2FA is undoubtedly not without its flaws, focusing only on the problems with SMS/voice 2FA ignores some of the larger issues surrounding 2FA in general.
How Scammers are Breaking SMS/voice 2FA
Two-factor authentication was invented to add an extra layer of protection to user accounts, but clever attackers are finding ways to bypass 2FA. So-called “port-out” scammers use social engineering to temporarily hijack the victim’s phone number. The port-out scam requires access to stolen personal information such as the victim’s date of birth and Social Security number.
The scammers first impersonate the victim, asking the victim’s wireless carrier to transfer the phone number to a different device. While the number is under the scammers’ control, they can easily intercept 2FA codes sent to the victim’s phone and use them to break into the victim’s accounts.
Another way of temporarily accessing a victim’s phone number is to hack into the SS7 telephony protocol, which different telecommunications networks use to exchange information. If attackers manage to infiltrate even one of the hundreds of telecom companies using SS7, they could potentially intercept a variety of voice calls and SMS messages.
IT security firm Positive Technologies has found that 78 percent of mobile networks in Europe and the Middle East could be vulnerable to such attacks.
Why SMS/voice 2FA Isn’t (Completely) to Blame
Despite the reported issues with SMS/voice 2FA, companies such as GitHub, Stripe, and Instagram continue to offer two-factor authentication via SMS, on top of via third-party mobile security apps such as Duo and Google Authenticator. In fact, in a multi-stakeholder community like Instagram SMS/voice 2FA is almost indispensible due the ideal balance it offers between security and usability/contactability.
Yet while third-party authentication may seem more secure on the surface, it’s still susceptible to good old social engineering tactics. 2FA methods that are not biometric will necessarily rely on an external device or object—so what happens when it’s lost or stolen?
In most cases, users will need to contact a human customer support agent to explain the situation and regain access to their account. This means that attackers may be able to successfully use the SAME social engineering methods such as stolen personal information in order to impersonate the victim, and break into accounts protected by these so-called ‘better’ 2FAs.
What’s more, 2FA methods such as third-party apps often allow you to “fallback” to an alternate method in the event that you lose access. In many cases, this alternate method is the so-called ‘weaker’ but more ‘usable’ 2FA SMS/voice. This is clear evidence that the ‘strongest’ 2FAs have loopholes that weakens them significantly and most people are just turning a blind eye to; as the security adage goes ‘security is only as strong as its weakest link’.
Google Authenticator and Authy offers the alternate method of signing in using backup codes that are provided when you first set up your account. However, note that these codes are essentially passwords that people write down, which is highly insecure if an attacker gains physical or digital access to their workstations.
In the end, there’s no perfect solution to the security issues raised by 2FA methods—only ways that companies can bolster their defense through defense-in-depth, and try to stay two steps ahead of the attackers.
Like it or not, we expect that SMS/voice OTPs will remain an integral part of two-factor authentication in the foreseeable future, due in large part to convenience and widespread usage. Even the U.S. National Institute of Standards and Technology (NIST) has walked back its 2016 recommendation that 2FA using SMS is ‘deprecated.’
Instead of clamoring for so-called ‘stronger’ 2FA security while blindly ignoring the gaping loophole they expose during fallback process, companies should focus on a more holistic and multi-layered security. For example, human agents should receive training to combat social engineering attempts, and malicious number porting attacks can be thwarted using techniques such as calling the user before approving a porting request.
Until companies can work out all the questions and security issues surrounding 2FA in general, SMS/voice OTP two-factor authentication is here to stay.