63

Everyone knows that two factors are better than one. My problem is that often the only second factor allowed is text messages sent to your mobile phone. This creates two concerns:

  1. I travel frequently overseas and lose access to 2FA accounts any time the associated SIM card can't touch a network.

  2. Your phone is inherently your least secured device. I install way more software and download way more files on my phone than anywhere else with much less ability to verify sources or control access. For example, nearly every app requests sweeping permissions to function correctly. Even apps that aren't granted explicit permissions have been found to backdoor those permissions through google services.

I feel like linking my phone to sensitive accounts (such as banking) would actually make them more exposed to attack and more difficult to maintain legitimate access.

functionalparanoia
  • 521
  • 1
  • 4
  • 4
  • 12
    This question may be improved to clarify whether it means 2FA via SMS (as in the body of the question) or the whole range of 2FA via mobile phone (as in the title) methods that are generally more secure than 2FA via SMS. – Peteris Oct 23 '19 at 12:47
  • 4
    "Everyone knows that two factors are better than one." [citation of peer reviewed longitudinal study needed] As an argument against: your Question. – Eric Towers Oct 23 '19 at 16:45

6 Answers6

52

Is 2FA via mobile the best security there is? No. SMS 2FA is the weakest form of 2FA, however, it's still worthwhile because it does improve security and it has a relatively low barrier of entry especially for non-technical users.

What can be improved? You can use TOTP token using apps like Google Authenticator. This still uses your mobile phone, but it doesn't rely on the phone number, so you can still use OTP even when your phone doesn't have connectivity.

The next step after is to use dedicated hardware token that complies with either U2F or WebAuthn, like RSA token or Yubikey. Website support is fairly limited to some of the major sites, but it's a great alternative when it's available. Google Accounts is also an OAuth provider so you can use it for social network login.

schroeder
  • 125,553
  • 55
  • 289
  • 326
Lie Ryan
  • 31,279
  • 6
  • 69
  • 93
  • 18
    I have a TOTP app on an old phone without a SIM with no other apps and disconnected from any account I use that I travel with. It's basically a really expensive Google Authenticator device. – schroeder Oct 23 '19 at 08:26
  • 1
    Could you please provide more information or references on why "SMS 2FA is the weakest form of 2FA"? – Elhitch Oct 23 '19 at 08:45
  • 7
    @Elhitch this is common knowledge by now, I think, and not a strange claim. It was deemed an insecure method in 2016. A google search for "SMS 2FA" returns quite a number of hits that cover this. – schroeder Oct 23 '19 at 08:58
  • @Elhitch see, e.g., https://security.stackexchange.com/q/14667/54387 – muru Oct 23 '19 at 10:06
  • Would rather suggest to go for soft tokens ( software tokens ) which essentially are mobile applications running on your phones which can generate the OTP based on the shared secret , they are equally secure , easy to deploy and a cost effective way to do 2FA ( when compared to dedicated hardware token ) – Soumen Mukherjee Oct 23 '19 at 10:17
  • 2
    @SoumenMukherjee and phones can get malware, and are very often used during the day, and a target for thieves. Hardware tokens do not have these problems. – schroeder Oct 23 '19 at 10:25
  • A well written and a secured mobile application does not have these problems as well... – Soumen Mukherjee Oct 23 '19 at 10:33
  • 3
    @SoumenMukherjee that comment does not make sense. It's the device I'm talking about. The threats against the *device*. – schroeder Oct 23 '19 at 10:44
  • 8
    It basically boils down to *any* 2FA is better than no 2FA at all, right? – Mast Oct 23 '19 at 13:26
  • In addition to avoiding the telephone network (Simjacking *has* occured in the wild), TOTP is also more secure (especially on older mobile OSs) because private memory of apps is more protected than SMS. It is often easier to access SMS data than to access a TOTP app's private storage. Though malware with root access can see both, and both are probably considered prime targets. – Brian Oct 23 '19 at 14:54
  • 3
    On the other hand, Google Authenticator is.. Google, which may not be the most secure :-). Consider Authy. Or better yet, if your phone has some sort of communication with a YubiKey, use that. Most secure when traveling because you can keep them physically separate till you need to use them together, in other words if your phone gets stolen they don't automatically get authentication to your important accounts. – George M Reinstate Monica Oct 23 '19 at 22:22
  • Yeah, connectivity is a concern, but not the main issue. The device is not under threat if a new device has been substituted, right? (diversion of the number). But major outages during natural disasters, network failures, or Government mandate during a crisis cuts off all SMS 2FA with the other network traffic. – mckenzm Oct 23 '19 at 23:16
  • 1
    Not completely related, but make sure you set your phone's clock right if you use it as a connectionless TOTP. That was a really embarrising help desk call to say the least. – zero298 Oct 24 '19 at 04:41
  • @Elhitch https://threatpost.com/nist-recommends-sms-two-factor-authentication-deprecation/119507/ – jub0bs Oct 24 '19 at 09:59
  • Note also that the NFC-enabled Yubikeys can be used as HSMs for phone-based TOTP OATH with eg [Yubico Authenticator](https://www.yubico.com/products/services-software/download/yubico-authenticator/) (which is also available through [f-droid](https://f-droid.org) for those that don't like the Play Store). The phone provides a timestamp, and the Yubikey seals it. This gives the benefits of a HSM while not requiring specific HSM support, unlike option 3 above. – MadHatter Oct 25 '19 at 06:19
  • 1
    @Mast I would challenge the statement that "any 2FA is better than no 2FA". If your second factor is extremely weak but inspires a misplaced sense of trust in your users, human nature is such that people may well become overly complacent about their primary factor and, e.g. use an insufficiently strong password thinking the second factor will protect them. This could easily result in an overall decrease in security over a single-factor system. – jmbpiano Oct 25 '19 at 16:41
  • @jmbpiano I'm trying to summarize the answer, not positing a statement. – Mast Oct 25 '19 at 18:51
29

SMS 2FA is not only a bad idea; it's worse than not having 2FA at all (password only). This is because virtually all services offering "SMS 2FA" are actually delivering SMS 1FA! That is, they allow full account recovery via SMS, with no need to have the account password. This means anyone who can:

  • convince your mobile carrier to port your number
  • convince your mobile carrier they're you and they lost their SIM card and need a new one
  • setup an IMSI catcher
  • steal or "borrow" your phone and get it unlocked
  • install malware on your phone with SMS permissions
  • etc.

can fully takeover virtually any account you have enabled SMS "2FA" on. In the past, these kinds of attacks have been limited to targets with high-value accounts tied to the number (accounts holding a large balanace on cryptocurrency exchanges, email and social media accounts of political figures and celebrities, etc.) but are growing to be a threat for everyone, possibly even random untargeted attacks.

If you need 2FA, use TOTP software or a hardware token. Not only should you not enable SMS 2FA; you should not even give your mobile number to services you hold valuable accounts on, since they inevitably will use your number as SMS 1FA if they have it on file.

  • 3
    You exaggerate. All responsible services do require a password before sending the verification SMS. But the malpractice of giving our phone numbers to random services should be discouraged, here I agree with you. – Alex Cohn Oct 23 '19 at 18:14
  • 23
    If you use the normal login interface, yes. If you use the "forgot password" interface, nope. Even big ones like Facebook screw it up. – R.. GitHub STOP HELPING ICE Oct 23 '19 at 18:49
  • 1
    This is a massive problem for banks, bitcoin, PayPal etc. You effectively need to conceal the number used from the rest of the world. In the event of a breach you need to burn it and update. It is still easy to get a provider to port a number to a new SIM, but getting harder. – mckenzm Oct 23 '19 at 23:18
  • 4
    @AlexCohn I'm able to completely recover my account through SMS for USAA (a large banking and insurance company). I never signed up for using SMS as "2FA" and had somebody steal money from my account using the SMS recovery option before I realized the bank had added it. It is absolutely a thing large organizations do. I'll agree that "responsible" ones don't, but lots of organizations are much less responsible than you might guess. – Kat Oct 25 '19 at 17:18
  • 3
    For what it's worth, I had this happen on Facebook with a phone number I hadn't used in nearly 10 years, that was only used for getting updates via SMS in a country with poor internet connectivity, that had been assigned to someone else. Result would have been disastrous for privacy of myself and others if I hadn't immediately seen the reset notification to my actual phone in realtime as it happened. Immediately reset again and removed all phone numbers from the account. After that FB constantly spammed me to "add a phone number for security". – R.. GitHub STOP HELPING ICE Oct 25 '19 at 19:02
2

It depends on what you compare to, what you have to protect and what your users can be billed and trained to use.

2FA with mobile phone is prone to phone theft, phone malware, phone operator's SIM replacement (mis-)procedures, mobile net vulnerabilities and so on.

It is, however, WAY better than 1FA of, say, user password. So it makes a good step at securing a great number of things. The attacker has to steal not only a password, but also attack your phone in some way or another. An attack against a phone is either easily noticed (a phone missing or not working) or complex.

My bank offers (along with a better options) SMS 2FA for a limited functionallity of their internet banking. They have to. A lot of their customers cannot be bothered to use something more complex and if you force them they will just find another bank.

fraxinus
  • 3,458
  • 6
  • 20
  • 2
    "Way better than 1FA of, say, user password" is not meaningful without qualifying in what ways it's better - what threats it stands up better against. – R.. GitHub STOP HELPING ICE Oct 23 '19 at 12:30
  • Valid point. I'll try to clarify. – fraxinus Oct 23 '19 at 12:34
  • 4
    Yes, it's all about the threat model. Is 2FA by SMS going to help against the NSA targetting you specifically? Almost certainly not. Can it help against some simple broadly targeted malware that steals banking passwords saved in your browser? Yes (and that's probably more relevant for most people). – rlms Oct 23 '19 at 13:15
  • 2
    You can let the idiots use SMS 2FA, no problem, as long as the banks offer something else for the rest of us. It actually works out better that way for those of us who don't use SMS :-). – George M Reinstate Monica Oct 23 '19 at 22:24
1

Your first concern is a very real one, services who don't understand that sometimes, some customers may have no access to text messages – these services are wrong.

However, having other software running on your phone is not the worst concern regarding 2FA via SMS.

OK, some bad actor will read a one-time 6-digit authorization token. They cannot reliably hide this text message from you, so the scenario "fake access to your account on a different device, stealthly read the 2FA code on the legitimate device, and pass it (e.g. over internet) to the attacking device" is not very likely.

The worst concern is that it's rather easy to compromise this channel. A government may order your cellular operator to give them a back door to text messaging. A criminal actor can use human engineering to attain an illegal copy of your SIM card, or stealthly install equipment to intercept the text message that is intended for your eyes only.

Alex Cohn
  • 823
  • 5
  • 7
  • 1
    Of course they can hide the authentication sms from you: https://stackoverflow.com/questions/419184/how-to-delete-an-sms-from-the-inbox-in-android-programmatically – Ángel Oct 23 '19 at 04:52
  • 1
    @Ángel: an app that has `android.permission.WRITE_SMS` can delete the message, but it's end-user who granted this permission. Furthermore, even then the message would have be broadcasted to all registered SMS receivers. If the end-user chose to disable all of them, and put all their trust in the single malicious app, then the choice of 2FA technique is the least security trouble. – Alex Cohn Oct 23 '19 at 07:30
  • 5
    Note that German (and Swiss) banks have moved away from SMS 2FA because there were significant attacks against online banking using SMS 2FA, so this is not just a theoretical worry. (However, attacking bank accounts containing real money is more attractive than being able to forge a log in to security.stackexchange.com.) – Martin Bonner supports Monica Oct 23 '19 at 08:43
  • @AlexCohn the user cannot grant read_sms without write_sms. While internally they are different permissions (with good reason), the user UI is 'simplified' and only a generic SMS right is requested/authorized (I would prefer that there was an advanced option to manage the individual permissions, though). – Ángel Oct 24 '19 at 12:44
0

2FA by text messages - Multi-Factor Authentication (2FA) by text messages are quite cumbersome, mainly because, as you said, replacing the sim makes it almost impossible to even authenticate yourself unless you own two phones or a dual-sim phone, and it is also less secure and more vulnerable to SIM hijacking attacks.

2FA through applications - Platforms like Blizzard and Steam, or Authenticator apps like Google Authenticator and Authy perform 2FA through mobile applications, does not take your SIM into account and is therefore more secure and convenient.

So, if your question is whether 2FA through mobile phones is a good idea, then I'd say it is, depending on the method of implementation. Changing sim cards aside, if you're concerned about security, my best advice would be to be more wary about the things you install - always check online for the credibility and security of the application, because although this maybe annoying to do, using 2FA is by far one of the best ways to ensure password security and it would be far less secure to not use it.

s h a a n
  • 325
  • 1
  • 3
  • 14
0

MFA via SMS is not the best form of MFA. In some ways it’s kinda the worst. Stay away from that one as much as possible basically.

MFA via other mobile sources - such as TOTP codes via apps like Google Authenticator - are great. I recommend using those as much as possible.

securityOrange
  • 921
  • 5
  • 12