📜 With modern computers capable of testing millions of password combinations per second, securing your online accounts with only a password may not be sufficient anymore.
For the past 30 years or so, we’ve settled on using a password-username pair as a happy compromise between usability and security. You have some knowledge that no one else has, so it must be you who’s trying to log in.
Passwords, however, aren’t foolproof. People pick bad ones and even the good ones are at risk of being exploited (for example, by keyloggers). That’s why a second factor can be useful. On top of something you know, y_ou must also provide something you _have to be authenticated.
Types of Two-Factor Authentication
A server can use any of these three options to prove that you own the trusted device:
- Your phone number (via SMS)
- A software key (also known as TOTP)
- A hardware key
While their implementation differs a little bit, the authentication flow for all of them is very similar:
- The user sends their username and password to the server to be authenticated as usual
- The server confirms the credentials are correct and asks for a second input from the user
- In the case of the first two methods, it’s a one-time passcode (OTP); we’ll talk about hardware keys in a future article
- The user provides the OTP, and the server finally authenticates the user
With mobile phones being as ubiquitous as they are today, they’re an obvious choice for “thing you have,” so perhaps it won’t surprise you that SMS 2FA is the most widely adopted of the three (you can check a list of services and what kind of 2FA they support here).
The application generates a unique passcode that is valid for a fixed amount of time, generally a few minutes or until a new one is generated, and sends it to the user via SMS.
The point of generating “one-time passwords” (or OTPs) like these is to prove that you have ownership of the phone number on file, which should be unique to the user.
It protects them from a scenario where the password is known by a third party, but they don’t own the phone number. And in the event they’re re-using passwords across services, which should be avoided at all costs, the passcode is different for each service, giving them an extra layer of security.
However, there are some shortcomings with this approach. Even though the latest NIST guidelines didn’t remove the recommendation of SMS as a second channel for authentication, some experts such as Brian Krebs have cautioned about using them as identity proof.
Phone numbers were never designed to be used for security purposes. It’s meant to be given out publicly — it’s not that hard for an attacker to find out what your phone number is. From there, they have many options to get the OTP: social engineering or phishing you, or even attacking the carrier.
One of such attacks, maybe the most common (at least the one that gets more press coverage), is known as a SIM swap attack. Carriers will often swap a phone’s service to a new SIM card if the customer requests it (presumably because they lost their phone).
The SIM swap attack consists of an attacker requesting the transfer of the victim’s SIM service to another SIM card that they control, and it can happen with inside help via rogue employees or without it by social engineering the support staff.
And because it must include third parties, such as the phone carrier, and the SMS protocol wasn’t designed with security in mind, the attack surface of SMS 2FA is larger than the other two methods.
Why is it so widely used, then? The adoption of two-factor as a whole is low (less than 10% of Gmail users use 2FA according to a 2018 report), so trying to drive the adoption rate up by using something that the users are already very familiar with, like SMS, is desirable.
However, there’s a way to keep the good things about SMS 2FA while removing the bad: by using software 2FA. Now the carrier is no longer involved with the process, but the codes can still be read from the user’s phone.
The biggest problem with software 2FA, in my experience, is that it’s the most difficult type of authentication for people to understand.
While everyone has received an SMS before, and they also intuitively understand that hardware keys work like real-world keys, it’s often not clear how software 2FA works because there’s a lot of “magic” happening under the hood.
So today, we’re going to peel back the curtains and see how it works, how the codes are generated, what it protects and doesn’t protect from.
Top comments (0)