{"id":4226,"date":"2016-09-12T08:29:20","date_gmt":"2016-09-12T02:59:20","guid":{"rendered":"https:\/\/www.qadit.com\/blog\/?p=4226"},"modified":"2016-09-12T08:29:20","modified_gmt":"2016-09-12T02:59:20","slug":"the-limits-of-sms-for-2-factor-authentication","status":"publish","type":"post","link":"https:\/\/qadit.com\/blog\/the-limits-of-sms-for-2-factor-authentication\/","title":{"rendered":"The Limits of SMS for 2-Factor Authentication"},"content":{"rendered":"
\n
\n

A recent ping from a reader reminded me that I\u2019ve been meaning to blog\u00a0about the security limitations of using cell phone text messages for two-factor authentication online. The reader\u2019s daughter had received a text message claiming to be from Google<\/strong>, warning that her Gmail<\/strong> account had been locked because someone in India had tried to access her account. The young woman was advised to expect a 6-digit verification code to be sent to her and to reply to the scammer\u2019s message with that code.<\/p>\n

\"2fa\"Mark Cobb<\/strong>, a computer technician in Reno, Nev., said had his\u00a0daughter fallen for the ruse, her Gmail account would indeed have been completely compromised, and she really would have been locked out of her account because the crooks would have changed her password straight away.<\/p>\n

Cobb\u2019s daughter received the scam text message because she\u2019d enabled 2-factor authentication on her Gmail account, selecting the option to have Google request that she enter a 6-digit code texted to her cell phone each time it detects a login from an unknown computer or location (in practice, the code is to be entered on the Gmail site, not<\/em> sent in any kind of texted or emailed reply).<\/p>\n

In this case, the thieves already had her password \u2014 most likely because she re-used it on some other site that got hacked. Cobb says he and his daughter believe her mobile number and password may have been exposed as part of the 2012 breach at LinkedIn<\/a>.<\/p>\n

In any case, the crooks were priming her to expect a code and to repeat it back to them because that code was the only thing standing in the way of their seizing control over her account. And they could control when Google would send the code to her phone because Google would do this as soon as they tried to log in using her username and password. Indeed, the\u00a0timing aspect of this attack helps make it more believable to the target.<\/p>\n

This is a\u00a0fairly clever \u2014 if not novel \u2014 attack, and it\u2019s one I\u2019d wager would likely fool a decent percentage of users who have enabled text messages as a form of two-factor authentication. Certainly, text messaging is far from the strongest form of 2-factor authentication, but it is better than allowing a login with nothing more than a username and password, as this scam illustrates.<\/p>\n

Nevertheless, text messaging codes to users isn\u2019t the safest way to do two-factor authentication, even if some entities \u2014 like the U.S. Social Security Administration<\/a> and Sony\u2019s Playstation network<\/a> \u2014 are just getting around to offering two-factor via SMS.<\/p>\n

But don\u2019t take my word for it. That\u2019s according to the National Institute of Standards and Technology <\/strong>(NIST), which recently issued new proposed digital authentication guidelines<\/a> urging organizations to favor other forms of two-factor \u2014 such as time-base one-time passwords generated by mobile apps \u2014 over text messaging. By the way, NIST is seeking feedback<\/a> on these recommendations.<\/p>\n

If anyone\u2019s interested, Sophos\u2019s Naked Security blog<\/strong> has a very readable breakdown<\/a> of what\u2019s new in the NIST guidelines. Among my favorite highlights is this broad directive: Favor the user.<\/p>\n

\u201cTo begin with, make your password policies user friendly and put the burden on the verifier when possible,\u201d Sophos\u2019s Chester Wisniewski<\/strong> writes. \u201cIn other words, we need to stop asking users to do things that aren\u2019t actually improving security.\u201d Like expiring passwords and making users change them frequently, for example.<\/p>\n

Okay, so the geeks-in-chief are saying it\u2019s time to move away from texting as a form of 2-factor authentication. And, of course, they\u2019re right, because text messages are a lot like email, in that it\u2019s difficult to tell who really sent the message, and the message itself is sent in plain text \u2014 i.e. is readable by anyone who happens to be lurking in the middle.<\/p>\n

But security experts and many technology enthusiasts have a tendency to think\u00a0that everyone should see the world through the lens of security, whereas most mere mortal users just want to get on with their lives and are perfectly content to use the same password across multiple sites \u2014 regardless of how many times they\u2019re told not to do so.<\/span><\/p>\n

\"Google's<\/a><\/p>\n

Google\u2019s new push-based two-factor authentication system. Image: Google.<\/p>\n<\/div>\n

Indeed, while many more companies now offer some form of two-factor authentication than did two or three years ago \u2014 consumer adoption of this core security feature remains seriously lacking. For example, the head of security at Dropbox<\/strong> recently told KrebsOnSecurity<\/a> that less than one percent of its user base of 500 million registered users had chosen to turn on 2-factor authentication for their accounts<\/em>. And Dropbox isn\u2019t exactly a Johnny-come-lately to the 2-factor party: It has been offering 2-factor logins for a full four years now<\/a>.<\/p>\n

I doubt Dropbox is somehow an aberration in this regard, and it seems likely that other services also suffer from single-digit two-factor adoption rates. But if more consumers haven\u2019t enabled two-factor options, it\u2019s probably because a) it\u2019s still optional and b) it still demands too much caring and understanding from the user about what\u2019s going on and how these security systems can be subverted.<\/p>\n

Personally, I favor app-based time-based one-time password<\/a> (TOTP) systems like\u00a0Google Authenticator<\/a>, which continuously auto-generates a unique code via a mobile-based app.<\/p>\n

Google recently went a step further\u00a0along the lines of where I\u2019d like to see two-factor headed across the board, by debuting a new \u201cpush\u201d authentication system<\/a> that generates a prompt on the user\u2019s mobile device that users need to tap to approve login requests. This is very similar to another push-based two-factor system I\u2019ve long used and trusted \u2014 from Duo Security<\/a> [full disclosure: Duo is an advertiser on this site].<\/p>\n

For a comprehensive breakdown of which online services offer two-factor authentication and of what type, check out twofactorauth.org<\/a>. And bear in mind that even if text-based authentication is all that\u2019s offered, that\u2019s still better than nothing. What\u2019s more, it\u2019s still probably more security than the majority of the planet has protecting their accounts.<\/p>\n

\n
\n
\n<\/a> <\/p>\n

Tags: Chester Wisniewski<\/a>, Duo Security<\/a>, gmail<\/a>, google<\/a>, Google Authenticator<\/a>, LinkedIn breach<\/a>, Mark Cobb<\/a>, Social Security Administration<\/a>, Sophos Naked Security<\/a>, twofactorauth.org<\/a><\/p>\n

\n
\nThis entry was posted on Wednesday, September 7th, 2016 at 9:29 pm\tand is filed under Other<\/a>.
\nYou can follow any comments to this entry through the RSS 2.0<\/a> feed.<\/p>\n

You can skip to the end and leave a comment. Pinging is currently not allowed.<\/p>\n

<\/small>\n<\/p>\n<\/div>\n<\/div>\n

via https:\/\/ift.tt\/2bV8Mhy<\/p>\n","protected":false},"excerpt":{"rendered":"

A recent ping from a reader reminded me that I\u2019ve been meaning to blog\u00a0about the security limitations of using cell phone text messages for two-factor authentication online. The reader\u2019s daughter had received a text message claiming to be from Google, warning that her Gmail account had been locked because someone in India had tried to … <\/p>\n

Continue reading “The Limits of SMS for 2-Factor Authentication”<\/span><\/a><\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","enabled":false},"version":2}},"categories":[12],"tags":[],"class_list":["post-4226","post","type-post","status-publish","format-standard","hentry","category-itsec"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/p9AH7Q-16a","_links":{"self":[{"href":"https:\/\/qadit.com\/blog\/wp-json\/wp\/v2\/posts\/4226","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/qadit.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/qadit.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/qadit.com\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/qadit.com\/blog\/wp-json\/wp\/v2\/comments?post=4226"}],"version-history":[{"count":1,"href":"https:\/\/qadit.com\/blog\/wp-json\/wp\/v2\/posts\/4226\/revisions"}],"predecessor-version":[{"id":4227,"href":"https:\/\/qadit.com\/blog\/wp-json\/wp\/v2\/posts\/4226\/revisions\/4227"}],"wp:attachment":[{"href":"https:\/\/qadit.com\/blog\/wp-json\/wp\/v2\/media?parent=4226"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/qadit.com\/blog\/wp-json\/wp\/v2\/categories?post=4226"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/qadit.com\/blog\/wp-json\/wp\/v2\/tags?post=4226"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}