2

I use 2FA on all services that support it. I generate backup codes and store them in a secure encrypted location. Most services unfortunately require a SMS backup, which represents a security issue as an attacker might be able to trick my phone company to redirecting my number or porting it to another provider.

To better protect against this I have considered using Twilio or another service to create a number that can receive text messages. I would then have those numbers posted to somewhere secure that I can check when I expect a SMS message. Probably the easiest way is to configure Twilio to post to an AWS Lambda endpoint that posts to SQS.

This strikes me as a more secure method and I will probably do it but I don't know if I have a complete understanding of all the risks. The issues that I can think of are as follows:

  • It's effectively security by obscurity as an attacker wouldn't know my 2FA phone number but if one site's database is compromised then the number is known. ** I guess I could generate a number for each site but that seems like it could get expensive!
  • Could the number be ported without Twilio's (or my) consent?
  • Can someone intercept a SMS message in some other manner?

Effectively, it seems like mitigating this all hinges on the 2FA number being unknown. Perhaps I might use unique numbers for highly critical services like e-mail and a standard number for less important things.

Steve Rukuts
  • 171
  • 1
  • 6
  • 3
    This whole SMS is bad 2FA bugs me. Is SMS weaker then a hardware token? Yes. Is it better then no 2FA? Emphatically yes. In an ideal world compromising the second factor in a usable way requires compromising the first factor as well. Which, if you use a password manager and a good password, should be nearly impossible. – AstroDan Aug 28 '17 at 13:12
  • I think the "porting" question is something you'd have to ask Twilio, and it seems like the gist of your question comes down to how SMS messages can be intercepted. I don't want to mark this as a duplicate, but check out [How hard is it to intercept SMS 2FA](https://security.stackexchange.com/a/11512/52676) – RoraΖ Aug 28 '17 at 14:27
  • There's another question about [if TextKey is secure against phone cloning](https://security.stackexchange.com/q/36452/52676) which you might find interesting. – RoraΖ Aug 28 '17 at 14:35
  • @AstroDan I'm concerned about a scenario in which an attacker grabs my password somehow and then uses a SMS message instead of a TOTP generator to access the account. If it was possible to disable SMS backups on all 2FA systems then this wouldn't be a problem - so I'm not worried about GMail for example. – Steve Rukuts Aug 29 '17 at 07:27
  • @RoraΖ I guess this is essentially a duplicate of that question. However I don't believe I've seen anyone suggest the approach above. I might answer the question myself as I learn more and when I program the SMS system described. – Steve Rukuts Aug 29 '17 at 07:33

0 Answers0