2FA, SMS, and you

julia ferraioli on August 11, 2018

This is cross-posted from my blog. 2-Factor Authentication (2FA) or Multi-Factor Authentication (MFA) are ways of securing accounts above and be... [Read Full]
markdown guide
 

OK, mostly I agree with this, but - and a big but - SMS-based 2FA is astoundingly better than no 2FA. I mean bucketloads better than no 2FA. Yes, TOTP is better still, and anything hardware is pretty damn awesome. I'm old-school, so I'm using PKCS#11 smartcards, but if U2F is what you prefer that's fine too.

But let's look in detail:

  • No 2FA

If there's no 2FA at all, an attacker just has to guess your password (or obtain it via a wide-trawl phishing attack, or ... or ...). Your best option here is to ensure you have a strong, unique password - and protect its use by ensuring it's only entered into the actual site. Good password managers will handle all this for you.

Everything else beyond this is an addition (until we get to PKCS#11, anyway).

  • SMS 2FA

Now, an attacker has to target you specifically, and obtain access to your mobile phone number, or your handset in some way. Either is a magnitude more effort than just getting your password, and moreover, it becomes a targetted attack instead of a more general trawl. By using SMS 2FA, you're forcing an attacker into completely changing their game.

Yes, of course you might be the target. Yes, it's weak. But it's forcing a huge amount of additional workload on an attacker, so if this is your only option, you should absolutely use it.

But, you know, if it's your bank account, I'd be looking to change bank.

  • TOTP 2FA

Now, in a partial breach case, TOTP isn't actually much better than a password. Lots of sites store the TOTP secret in the clear, and it's pretty weak, cryptographically - the specification allows for making it much stronger, but unfortunately the predominant client app - Google Authenticator - doesn't seem to support the higher settings, so we're stuck with the entry-grade.

Still, an attacker has to get at that shared secret, whether that's from your mobile phone - in which case, folks, it's not much harder than SMS - or else from the server. Cryptographically breaking TOTP is still too difficult, though it's rapidly approaching feasibility, and you'll want to keep an eye on that one.

Still, better than SMS, for sure - but while it's certainly significantly better, it's not the game-changing gap that's between no 2FA and SMS.

  • U2F

Universal Second Factor is essentially a cheap hardware cryptographic device - it's doing cryptographic magic™ on a chunk of silicon that means an attacker can't duplicate it - you can't pull the private key out of the device. They can, of course, steal it, which is - in technical terms - "Bad".

The good news, though, is that you'll know if this happens, generally - and knowing about a potential breach is half the battle.

So clearly, if you can use U2F, go for it.

  • PKCS#11

The "old-school" is to use a PKCS#11 device, usually a smartcard. Your bank card might even be one, if you live in Europe particularly. (If you live in the States, you might get one in a decade...)

PKCS#11 devices are pretty similar to U2F devices - indeed, U2F is essentially a modern, consumer-grade, PKCS#11. The main difference is that smartcards generally require a PIN. On a really shiny system, the card reader itself has the PIN entry pad, so it cannot be obtained by a keyboard sniffer.

All this is because they're used as the sole means of authentication in many cases - including the US military "Common Access Card".

In fact, some U2F devices can be used as PKCS#11 devices - some of the Yubikey range for example. While these don't use a PIN, they can do the other magic - a PKCS#11 device will provide authentication at the TLS level, it can literally "be" your SSH key, your PGP key, or your S/MIME key.

 

That's a great write-up, thanks!

There's a phrase I really like, which is "usable security". That is, how do we secure things in a way that both actually secures things, but isn't so onerous that it makes it impossible for people to use. U2F is getting there, but a lot of folks -- especially folks who are new to good security hygiene -- are having a hard time with adoption.

I don't disagree with most of what you've said, but my view is a bit different. The place I have seen people get into is when account recovery happens by way of authenticating with SMS, or no account recovery is possible at all once the 2nd factor is compromised. In both cases, the user is totally hosed.

And, yeah, totally agree about the bank note!

Anyway, that's my justification for not a flat out recommendation for using 2FA via SMS if no other option is available. Depending on the type of account, having it compromised for a limited amount of time (via the password being compromised and then recovered) may actually be preferable to losing access permanently. Social engineering is really not difficult to do, especially if the account holder personally is a target.

Thanks again for weighing in! There are a lot of factors (ha) to consider. I try to get everyone to use U2F, but am not always successful :-)

 

U2F is great because it's a relatively cheap hardware dongle. I'd like people to be using the U2F devices that are also PKCS#11 devices, but the ones that also handle NFC for mobile use tend to get prohibitively expensive.

What I'd love to see is banks and similar hand these out to customers uninhibited, so that their customers get better security everywhere - but most importantly at their bank.

That would be amazing. After all, it's in their best interests not to have accounts compromised, as well.

code of conduct - report abuse