Getting a second opinion is a great idea in both medicine and end-user cybersecurity. Two-factor authentication (2FA) and multifactor authentication (MFA) are powerful tools in the fight against all kinds of cyberattacks that involve end-user devices and internet-based services.
There’s just one big problem: it’s far, far too common for people to use text messaging as the second factor. That turns phone numbers into digital identity devices — a role they are poorly designed to play. If someone loses a smartphone or has it stolen or taken from them, they also lose their access to authentication. Worse, the attacker can transfer the phone number to another person, who will now receive authentication requests. Here’s what to do about the 2FA and MFA phone problem.
How Two-Factor and Multifactor Authentication Work
Both of these precautions work by using more than one ‘authentication factor.’ That factor could be something the user knows, has or is part of what they are (like a fingerprint).
One of the most common combinations is a username and password (something the user knows), plus a message, link or code to the smartphone of the user (something the user has) via text messaging.
But there are others. Authentication factors can be a pin code, an item of personal trivia (mother’s maiden name, for example), a key fob, your face or many others.
Multifactor Authentication in Real Life
It plays out a million times a day. A user forgets a password, or chooses to change it. Or they visit a website from a different location than normal, or with a different device or on a site that checks users on a fixed schedule. So, the site sends a code, link or password to the user’s phone via text message.
The problem with this is that it assumes that only the original, honest user could possibly have access to the phone number paired with the text. And that’s a bad assumption.
In the past, people assumed that only the original signer could write their signature the way they do. That was a pretty good assumption. When we assume that only a real user could have the registered face or fingerprint, that’s a pretty good assumption, too. But possession of a phone number? Not so much.
It turns out that threat actors can figure out which phone numbers on wireless providers’ websites are ‘recycled’ numbers — once used but now abandoned. They can then match up with leaked login credentials for sale on the dark web. By gaining access to the phone numbers, they can hijack accounts by resetting the passwords (confirmed with their new phone numbers).
The Problem With Recycled Phone Numbers
Princeton University researchers sampled 259 phone numbers offered by two U.S. wireless carriers. They found that 171 of them matched up with current accounts at various websites and 100 matched up with leaked credentials on the web.
Interestingly, the researchers noticed that phone companies offer new numbers in blocks of consecutive numbers. But they display recycled numbers in non-consecutive blocks, revealing the fact that they have been used before. Attackers can automate the discovery of such numbers, according to the researchers.
The researchers also monitored 200 recycled numbers. Within one week they found roughly 10% of them receiving privacy or security related messages directed at the previous owners.
Princeton’s research points directly at the gaping hole in 2FA and MFA cybersecurity that relies on a phone number. But so does common sense.
In addition, a crowdsourced project called TwoFactorAuth.org found that nearly one-third (30%) use 2FA via text message. (Around 40% support authentication apps.)
Beyond Text Messaging Codes
Text-based authentication doesn’t only fail when someone’s number changes. Cyber criminals can intercept texts using any number of specialized wireless systems. Attackers can trick, blackmail or bribe phone company employees into transferring phone numbers to a cyber criminal’s SIM card (called SIM swapping). Text-based codes are also available through phishing tools.
The bottom line is that phone numbers can be assigned to more than one person. Attackers (or accidents) can separate phones from their owners. They can intercept texts or otherwise break into messaging. And so for many reasons, 2FA or MFA that includes texting is far less secure than many other methods.
What About the Password Element of MFA?
Stated another way, of all the factors that could be used for multifactor authentication, by far the most common are 1) username/password; and 2) texts.
It’s bad enough that texting and smartphones are insecure methods, but usernames and passwords are, too. Far too many users use weak passwords that they reuse for multiple sites, and threat actors steal far too many of these and make them available on the dark web for other cyber criminals.
The one-two punch that will improve 2FA security and MFA is to mandate strong passwords and the use of password managers. Next, ban text-based authentication in favor of something more secure, such as authentication apps. With these, you’ll have a first line of defense in place.