Security Analysis of SMS as a Second Factor of Authentication

I think the worst is when companies force you to leave SMS on as a fallback.<p>On stripe, I use a security key. Someone has to either steal my keyring, or steal my backup key.<p>But I&#x27;m force to leave SMS on as a fallback, so really, the weakest link is there, and a potential cracker only needs to break this extremely fragile insecure system, and completely bypass the security key.

SMS 2FA is weak, but it does two things: it shifts the attack from a passive opportunistic one to a targeted one, and, 2. in unionized environments you can add a second compliance factor without distributing new devices, &quot;training&quot; people to use TOTP apps, or &quot;forcing&quot; people to install an app on their personal devices.<p>That is the big cultural reason why SMS 2FA is going to be with us for a while. Sure, use TOTP and FIDO tokens for systems people, but for institutions with thousands or tens of thousands of employees, SMS 2FA is still economical and will still be with us 5-10 years from now. It&#x27;s the new passwords.<p>The smart thing would be for MSFT&#x2F;o365 to give you the option to switch to a TOTP token and other authenticators with a better experience so people can switch organically. Most security people still don&#x27;t distinguish between authenticators and identities, as federation concepts like identity providers are still in the rarefied space of enterprise. Identity isn&#x27;t well thought out either because it&#x27;s a legal concept, and like most tech risk and liability, if anyone read the fine print they&#x27;d never use it.<p>SMS 2FA is basically a ritual that allows people to agree to ignore risk.

&gt;Email accounts have become, over the years, not only large repositories of highly sensitive and private data, but also single points of failure for digital footprints on the Internet.<p>This is really the key issue here. Passwords are fine if you give people some place to keep them.<p>&gt;...it became widely acknowledged that passwords should be highly complex in order to maximize their entropy and, thus, substantially increase the amount of time it would take to crack them.<p>This is only true if people reuse the same password for different sites. Otherwise the site can rate limit brute force attacks to the extent that even completely trivial passwords are OK.<p>I dunno, it seems that in most cases second factor auth is not really needed. We need to address the actual problem, not attempt to paper it over by dumping stuff on top. The &quot;let&#x27;s just let the phone company do the identity stuff&quot; approach is a good example of failing to deal.

Please, no more SMS Authentication. Hacker news readers are in a unique position to prevent this &quot;feature&quot; from entering products. Let&#x27;s work on putting this idea out to pasture.<p>TOTP, while not perfect, is an improvement. The protocol could be improved to provide protection against proxy attacks, but the point I&#x27;m trying to make is that your regular user can use TOTP. I&#x27;ve successfully set it up for my parents (both closing in on 70years old and are not tech-savvy) and they have no issues using it.<p>Personally I use a hardware U2F key everywhere I can. With the newest version of Safari Tech Preview _finally_ supporting U2F, I&#x27;m hoping we see some deeper market penetration.

The worst thing about SMS authentication in terms of UX is what happens when you&#x27;re outside your country. I moved countries recently, but I still need to do things like retrieve tax statements etc. Some companies only support SMS as a second tier authentication method (some at least allow you to use email as an alternative), some won&#x27;t allow you to change to a foreign number, some will not be able to send you a text if you&#x27;re in roaming mode abroad (I keep my old SIM active just for that).

I feel like this is an important clarification from the end of the intro:<p>&quot;This article provides some insight into the security challenges of SMS-based multifactor authentication: mainly cellular security deficiencies, exploits in the SS7 (Signaling System No. 7) protocol, and the dangerously simple yet highly efficient fraud method known as SIM (subscriber identity module) swapping. Based on these insights, readers can gauge whether SMS tokens should be used for their online accounts. This article is not an actual analysis of multifactor authentication methods and what can be considered a second (or third, fourth, etc.) factor of authentication; for such a discussion, the author recommends reading security expert Troy Hunt&#x27;s report on the topic.&quot;

The main reason why companies like SMS 2FA: It costs next to nothing, and it shifts the responsibility to the customer.<p>Your account got hacked? Not our problem, we have 2FA. Must&#x27;ve been your fault.

&gt; Regardless of the critical nature of an online account or the individual who owns it, using a second form of authentication should always be the default option, regardless of the method chosen.<p>Couldn’t disagree more. This is oversimplification of a complex subject.

Capital One continues to <i>only</i> make SMS available for 2FA. I had to close my account(s) with them last year when they refused to allow me to use my wife&#x27;s phone for this purpose (since I don&#x27;t have one). Their loss, not mine.

How about using virtual phone numbers (Twilio, Google Voice, etc) for SMS 2FA? Any better than a real SIM for services that don&#x27;t support other 2FA options?<p>Should eliminate OTA and SIM swap attack vectors from figure 2.

Email is also a very weak form of 2nd factor that&#x27;s more popular than it should be.