3

In mid-June, Lastpass made news again, and I've since been mowing around the idea of two-factor authentication. After familiarizing myself with SMS and Google Authenticator, I thought the SMS was a little more user friendly. Although not as widespread or as secure as the latter, surely it's better than a single password..?

Anyways, I had been poking around inside Tasker (automation app), when I suddenly got an idea. Would using text-to-speech on an SMS-based 2FA (have it read aloud) be a bad idea? Would it be any less secure than unlocking the phone and reading the message? Considering permissions/malware/etc, I feel like it could be intercepted if it wanted to be, but I am not educated on the schematics to know any better. I would like to know if this would be a viable option, or would it just be too unsafe?

Pierre.Vriens
  • 165
  • 1
  • 1
  • 11
Double
  • 31
  • 1
  • I am curious. What do you mean by text to speech in this context? One would type ones name into the phone, and it would say who you were? I think I have had a long week –  Jul 04 '15 at 03:55
  • 3
    The problem with SMS 2FA is all that is needed to break it is a sin card registered to that phone number. Ringing the phone service provider, I have lost my old SIM card for number x can you please send a new one to address y has been a successful attack. If the user targeted isn't actively using the mobile network at the time the new SIM is powered they won't realise anything is wrong until it is to late and all that happens is you suddenly find it is emergency service only, unless you have a second SIM on same network needed to confirm from a technical issue in the network. – ewanm89 Sep 16 '16 at 16:25

3 Answers3

1

I think the answer depends on what you are trying to protect against. It certainly is the case that having the message read aloud somewhat reduces the secureness of the SMS messages as 2FA. This means that someone could obtain your phone and use it as a 2FA for Lastpass without needing to unlock your phone.

But if you are concerned about generalized network attacks against LP, similar to the recent mid-June one, I don't see how having the auth code spoken aloud decreases security.

Any 2FA mechanism offered by LP will, in most cases, be more secure than only using single factor authentication. So even spoken SMS messages will help in most cases.

PS: One thing to keep in mind, SMS messages are not encrypted end-to-end. Certainly your mobile provider can read your SMS messages. It is possible other apps on your phone can as well. Apps like PushBullet can be used to replicate SMS messages to a computer (and likely PushBullet's servers), further increasing the chance of them being viewed by an attacker. See this answer for more on SMS security for 2FA.

Neil Smithline
  • 14,702
  • 4
  • 38
  • 55
0

If i am understanding correctly, you mean receiving an sms and have your phone capturing you saying a code/text loud. I see two potential malicious actors: external entities and your phone. If someone around you knows you are using that method, he/she may capture your voice and then use it for further authentications (by keeping the voice and changing the code/text). Then again, that would require the malicious attacker to have access to the sms to know the message and to the phone to capture the voice (victim's phone is linked to account). Also, you are not safe from having your voice captured (unless you stop speaking :P). As for the phone as a threat, a malware may capture your voice and your code but then again, if your phone is compromised, you have bigger problems and even without voice authentication, you would be screwed.

Now, what i could do is: sitting by you on starbucks and let us assume i know your email (i am talking about a typical 2FA on gmail). I could try to login slightly after you (sms receiving is almost instantaneous). You would recite the sms sent to authenticate me. Now i am in :). This assumes the person thinks there was a mistake from google which sent you two codes (the non-paranoid lets it pass). You would notice that you could not log in and would request another code/message. Still, i would be already in reading your emails.

This would be fun to watch, i must say.

Stay safe!

BrunoMCBraga
  • 476
  • 4
  • 12
0

Most attacks happen on the network while the SMS is in transit. Once it reaches your device, the fact that it's displayed or spoken won't change anything as long as that device is secure and trusted and as long as the TTS happens on the device and doesn't call any online TTS API (and if the device is compromised, using TTS or even morse code flashes won't change anything, the attacker can get your 2FA code before the screen even lights up to display the notification).

I guess the potential vulnerability would be that TTS would happen without requiring you to unlock the phone, so an attacker who stole your device won't need to know its password to be able to hear your 2FA codes.

André Borie
  • 12,736
  • 3
  • 40
  • 76