Revisiting Two-Factor Authentication and Security - Examining the Arguments For and Against This Reliable and Pervasive Methodology - Sinch ...
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
Revisiting Two-Factor
Authentication and Security
Examining the Arguments For and Against
This Reliable and Pervasive MethodologyFor many of the applications that require the extra
security that two-factor authentication (2FA)
provides, SMS will more than suffice as a delivery
channel. Most enterprises and end users can view
2FA over SMS with confidence as a key method
of providing security. In this paper we address
arguments about the efficacy of this delivery
methodology and examine what you should know
about 2FA leveraging SMS going forward.
2 / 10Introduction
Two-factor authentication (2FA) is one of the In June 2016, the United States National
most effective ways of protecting accounts, Institute of Standards and Technology
and it is widely used across the world. (NIST) published a draft of its Digital Identity
A common and convenient method Guidelines (NIST SP 800-63-3). Section
of deploying 2FA is to deliver tokens (PIN 5.1.3.2 noted that out-of-band verification
codes, verification codes, one-time through SMS will be deprecated and will
passwords [OTPs], and the like) through not appear in future releases of NIST’s
SMS to the user’s mobile device. guidance. This recommendation was
specifically targeted for U.S. government
In a recent survey performed by Sinch, applications; however, in the final version of
75% of the respondents indicated that the document, the deprecation of SMS was
SMS was their preferred delivery method. ultimately withdrawn.
Furthermore, 85% of the respondents said
they preferred receiving an authentication The NIST proposal raised significant
code on their mobile device to provide alarm in the United States and elsewhere
additional security with their user ID about 2FA over SMS, evidenced by some
and password for online transactions. attention-grabbing headlines proclaiming
that the end of 2FA through SMS was at
As an out-of-band delivery channel, SMS is hand. This sort of exaggerated hype is
overwhelmingly popular with consumers and damaging to 2FA overall. Furthermore,
is provided by major online shopping sites while the NIST recommendations did bring
such as Amazon and eBay as well as banks, up valid points, we believe that most of
social networks, e-mail providers, and many them were of debatable value because
others. The key benefit to SMS is that users they represented rare edge cases and,
don’t need to download a specific mobile, if followed, would have unnecessarily
code-generator, or authenticator app, which limited use of 2FA – which remains a very
could be viewed as a barrier to 2FA adoption good solution that benefits overall security
by consumers. for the majority of situations.
As an out-of-band delivery channel, SMS
is overwhelmingly popular with consumers
and is provided by major online shopping sites
such as Amazon and eBay.
3 / 10Examining common arguments against
2FA over SMS
Arguments against 2FA over SMS as an through a chat or phone call. This is different
out-of-band delivery channel range from from the account password.
SIM swap fraud to issues with encryption to
questions about the availability and efficacy While SIM swap fraud does still occur
of SMS itself. Let’s examine a few of these. in many markets, it has become more
difficult to achieve, as mobile operators are
Interception of a phone number implementing new security procedures and
(SIM swap fraud) protocols for customer service reps to prevent
this type of fraud. For most applications,
There have been a number of attacks the potential security issue of delivering 2FA
against mobile phone providers in which tokens to phones through SMS does not
the attacker transfers the phone number outweigh the benefits and convenience of
to a third party. This is called SIM swap 2FA over SMS.
fraud (for background, see this UK-operator-
centric post). This fraud requires a bit of Additionally, many providers of SMS-based
social engineering by attackers on the mobile 2FA solutions are now turning to capabilities
operator representatives. These bad actors by working with mobile operators and
must convince whomever they are dealing mobile-number registry providers that can
with at the mobile operator that they are, in detect when a SIM change has occurred on
fact, the owner of the phone number. If this a mobile device. If the SIM change was very
happens, this type of fraud can be serious recent (within the last seven or so days),
and difficult to overcome. an alternative method to validate that
particular user may be offered to the business
Today, solutions vary by country, but most that does not leverage the mobile phone
major operators around the world have number. For this, both the end user and the
already put in protections against this type business are further protected. While these
of fraud or are in the process of doing so. types of SIM-swap detection methods may
For example, in the United States, mobile cost more than simple 2FA through SMS,
operator reps ask for a particular security they can still offer significant protection in
passcode that subscribers have set before cases where the SMS method of delivery of
any action will be performed on the account 2FA codes is desired.
For most applications, the potential security
issue of delivering 2FA tokens to phones
through SMS does not outweigh the
benefits and convenience of 2FA over SMS.
4 / 10Encryption questions device has likely been deceived through some
social engineering technique into accessing
This issue was originally related to the 2G the malicious app through a nonstandard app
GSM standard, which uses an over-the-air store or by downloading unknown or phishing
encryption scheme called A5/1. There have data from an e-mail – both practices that are
been a number of published attacks on A5/1, fraught with peril anyway.
and it can be decrypted in real or near-real
time. It has been said that 2G towers are Yes, this can be done; however, in these
easy to spoof and the encryption is easy to cases, we need to assume that device
break, and that most phones will downgrade owners should maintain some control
(from 3G or LTE) without informing the over what is downloaded to their device.
user. The downgrading part is true; however, Legitimate Android and Apple app stores
most actors that can deploy or spoof 2G actually have very little (known) malware.
fake towers are extremely sophisticated, While it is possible that what appears to
and the cost versus the benefit of doing be a legitimate app can have malicious
this to capture 2FA over SMS messages is capabilities, these cases are rare.
limited at best. In fact, documents leaked by Again, limiting or deprecating 2FA over
Edward Snowden in 2013 indicate that the SMS as a result of these types of situations
U.S. National Security Agency can process is significant overkill. With some malware,
encrypted GSM A5/1. Today, in 2021, 2G time-based one-time password (TOTP)–
and even 3G networks are being sunsetted compatible authenticator apps may be
around the world. Very few places in the equally compromised through the use of
world are using 2G as a primary mobile screen-scraping technology.
network. Today, it is mostly 4G (for example,
LTE), and in many places, 3G is also being Overall, these very technical arguments
phased out. With 3G and LTE, basic services against SMS are definitely not wrong, but in
such as voice and SMS employ over-the-air real-world cases, they relate to situations that
encryption that is much more robust. are already quite rare and are diminishing in
frequency. It is easy to cite SIM fraud or SMS
While network decryption is certainly interception as an argument against 2FA over
possible, it is not practical and definitely is SMS, but even so, two-factor authentication
not a reason to rule out 2FA over SMS for is just that – two factors – the first being a
most applications. user ID and password (something the user
Interception on the device knows) and the second being the delivered
verification code through SMS. So unless
Some devices may be compromised by the bad actors have both factors, the account
malicious apps that can intercept SMS is still protected.
messages and relay the content to bad-actor
third parties. In these cases, the user of the
5 / 10SMS reliability and efficacy The SMS delivery provider should leverage
as many direct mobile-operator connections
Detractors of 2FA over SMS will cite SMS as possible, using all high-quality routes
reliability as an argument against using SMS since many of these 2FA tokens have short
as an out-of-band delivery channel. expiration times. It is imperative that these
They will say that 2FA codes should have SMS messages comply with all regulations
a short (typically less than 15 minutes) and best practices for the country and mobile
expiration time. We say, the shorter the better, operator for which they are intended.
but not so short as to not be When they do, the message delivery rate
useful – a 10- to 15-minute range is is extremely good and usually occurs
quite sufficient. within seconds.
SMS delivery times are highly dependent To provide better security for 2FA, it is
on how messages are delivered. also recommended that businesses using
While the details are sometimes complex, it would use approved short codes or
it is incumbent upon the business that offers vanity toll-free numbers – essentially vetted
2FA over SMS to use a well-known and and approved sender IDs for their 2FA
respected SMS provider. SMS reliability is SMS messages. They should not be
absolutely dependent upon how messages using random long codes, which are
are routed from the enterprise entity to the popular with fraudsters.
appropriate mobile operator.
Another common argument against SMS
Service providers that offer lower-cost or for 2FA is that some locations don’t have
least-cost routing for 2FA traffic (for example, phone reception, either due to their location
by leveraging the so-called grey routes for or because the user is in a different territory
SMS) run the risk of having their messages with an incompatible phone device or without
delayed or blocked entirely. SMS delivery roaming enabled. Lack of mobile phone
providers who employ hundreds or thousands reception (such as within some buildings)
of originating numbers in an attempt to avoid can be an issue for some people. To overcome
message blocking on behalf of their customer those situations, an enterprise deploying 2FA
(for example, a bank) are usually trying to should consider multiple delivery channel
get around regulations. options – for example, the 2FA token could
be delivered to an e-mail address, accessible
It is incumbent upon the business that
offers 2FA over SMS to use a well-known
and respected SMS provider.
6 / 10from a connected laptop. Alternatively, or access to government or high-security
the enterprise could also use validation applications or platforms. In these cases,
of tokens generated by a specialized the recommendations put forth in the latest
authentication app such as Google NIST guidelines can certainly be valuable.
Authenticator to support those users
who don’t have indoor (or even roaming) For many users, a TOTP-based authentication
connectivity. Once again, while these edge app (such as Google Authenticator) on their
cases do exist, they do not amount to a mobile device provides incrementally more
reason to completely abandon 2FA over security than receiving the authentication or
SMS for the majority of users. verification code through SMS. TOTP apps
are relatively easy to download and use on
SMS is limited to a single device because it smartphones and typically do not require a
is tied to the user’s phone number, while a data connection to generate a code. The app
TOTP app can be used on multiple devices, must be configured to work with the site or
such as a mobile device and a desktop. application by the user (or IT department).
This is actually not a bad situation. In today’s However, this is typically trivial – and today
mobile age, the mobile device is almost many TOTP authentication apps offer
always with its owner. The single phone additional capabilities such as backup and
number acts as a true out-of-band address – restoration of configurations.
a good thing for using 2FA with SMS as the
delivery channel. If a user’s mobile device is questionable,
then high-security options include using
Higher levels of protection separate hardware tokens or deploying
three (or more) factors such as biometrics
There are situations in which an enterprise (fingerprint, iris or retina scan, facial
may not want to expose its customers to recognition, or voiceprint).
the risk, however small, of receiving an
authorization code through SMS – for
example, for high-value financial transactions
In very nearly all situations, 2FA over SMS
provides sufficient security to protect both
enterprises and end users from fraud,
with little disruption for the end user.
7 / 10Messaging channels other than SMS made with RCS that go beyond just the
phone number, such as reusing an ID that
In many parts of the world, it may be could have been set up when the user’s
beneficial to use an alternative messaging account was set up. A bad actor’s phone
channel, such as WhatsApp or even rich with a new SIM for the user’s phone number
communication services (RCS). These are would not have the original session ID
also typically phone-number based, but both and, consequently, could be blocked from
can offer some additional security features receiving the RCS message.
directly to the messaging client.
Many options exist when using social
For example, with RCS, a 2FA message messaging platforms such as WhatsApp and
may no longer require that the user others to receive 2FA messages. While not
respond with a code they received from the as straightforward as SMS, they can offer
message. Instead, directly in the message, some additional options for users and even
the user is asked to “Accept” or “Deny” additional security – even though they are
the authentication. Other checks can be phone-number based like SMS.
8 / 10Summary
For most applications that need the extra While no scheme is 100% secure,
security that two-factor authentication in very nearly all situations, 2FA over SMS
provides, SMS as a delivery channel will provides sufficient security to protect both
more than suffice in most situations. enterprises and end users from fraud,
While SMS may not be completely secure with little disruption for the end user.
since the messages are transmitted over Add to this the fact that it is convenient and
mobile networks, this is still a high-security does not require any additional downloads
solution. We should note that 2FA tokens or app installations, and you have a solid
generally have a short expiration time – and practical security solution for most uses.
usually no more than a few minutes – and Still, as we move into the 2020s, there are
that there are limitations on how many times also newer options, such as social messaging
a user may try to enter a received code before apps and RCS, that can offer newer use cases
the solution locks the user out for a specific for user validation, as well as better security.
time period.
Learn more
To discover more, contact your Sinch representative, visit us online, or join our community.
9 / 10www.sinch.com
Sinch brings businesses and people closer with tools enabling personal engagement. Its leading cloud communications
platform lets businesses reach every mobile phone on the planet, in seconds or less, through mobile messaging, voice and
10 / 10
video. Sinch is a trusted software provider to mobile operators, and its platform powers business-critical communications
for many of the world’s largest companies.You can also read
