SMS Two-Factor Authentication: Time to Trash the Text?
Companies recognize the value of two-factor authentication since passwords alone are no longer enough to secure user accounts and protect businesses in the event of malicious data loss. For many organizations — Twitter, Facebook and Google, to name a few — the shortest route to improved security is the use of SMS messaging to deliver single-use codes that users must enter in addition to passwords.
The problem: According to a new National Institute of Standards and Technology (NIST) draft, SMS two-factor authentication may not be so secure. Is it time to trash the texts for something better?
An Easily Exploited System
So what’s the problem with text messages? They seem like the perfect solution since they’re quick to send and only require users to provide their best contact number. As noted by CSO Online, however, cybercriminals have already found ways to work around this supposedly secure system.
For example, smartphones infected with malware can secretly redirect texts to another device, while more enterprising criminals are calling up phone companies and impersonating their potential victims, convincing operators to re-route secure texts.
The NIST draft also warned that software-based phone numbers, such as those connected to VoIP systems, could be vulnerable to cyberattacks and text theft. Users don’t know they’ve been victimized until after accounts are breached and financial or personal data is stolen. If users can’t easily prove they’ve been attacked or their texts were misdirected, they may be on the hook for any criminal actions.
So far, the NIST has stopped short of asking companies to trash their text programs, but it suggested that companies should always verify that the number they’re texting is a true mobile phone and “generate a random authentication secret with at least 20 bits of entropy using an approved random number generator.” NIST further advised that codes should not be displayed on the lock screens of mobile devices.
Another option is to use authentication apps, which require the user to initiate code generation. The NIST said that “mechanisms such as smartphone applications employing secure communications protocols are preferred for out-of-band authentication.” While this doesn’t guarantee security since attackers could still take control of the mobile device itself, apps significantly reduce the chance of in-transit interception or eavesdropping.
As noted by ZDNet, other alternatives include biometrics such as fingerprints or eye scans, but the NIST cautioned that the amount false match rates and false nonmatch rates make it difficult to confirm user identity. There’s also movement toward selfie identification, and companies like MasterCard have introduced apps that prompt users take a picture of themselves. This photo is then compared to a photo submitted at the time of registration.
Time to Trash SMS Two-Factor Authentication
SMS two-factor authentication was never designed as a catch-all, but rather a security time-saver that at least offered increased peace of mind. But just like software or network defense, cybercriminals have found ways to circumvent and compromise SMS codes. Time is running out to toss the texts and opt for new authentication tech.