Kyle Lady, Senior R&D Engineer, Duo Security commented below on the story regarding attackers exploiting two-factor authentication by using a phone numbers to gain access to victim’s devices.
Kyle Lady, Senior R&D Engineer at Duo Security:
“We agree that there are stronger forms of authentication than SMS (such as push and U2F), as SMS and email-based authentication are vulnerable to interception via ISP sniffing or phone cloning. However, we also believe that some form of second factor authentication is better than none at all – and before we throw the baby out with the bathwater, we need to consider adoption rates, which are lower for some of the newer and more secure solutions.
Take a look at the keyfob, for example. Yes – it’s more secure in this scenario, since an attacker can’t social-engineer a third party to bypass it. But if no one uses it there will be very little improvement in security. On the other hand, if there is large adoption of SMS, it will end up protecting more people even if it is technically a less secure mechanism, because it raises the bar for an attacker from merely phishing or guessing to also having to attack phone companies. This is similar for when we look at mobile screen locks. While some will say fingerprint is less secure – it’s easier – therefore more people will enable it versus a passcode. In other words, SMS-based two-factor authentication is better than customers using no two-factor authentication at all.”
“SMS and phone-based two-factor authentication are more secure than not having any 2FA at all. They do have weaknesses, and there are stronger methods available. Using a cryptographically secure approach (such as phone-app-based or hardware security keys like U2F tokens) would provide more account security. Ultimately, whether phone-based authentication is sufficiently secure depends on the sophistication and motivation of the attackers that the user (or their administrator) wants to protect against.
More secure versions of 2FA, instead use an end to end encrypted channel from the cloud service to the application located on the user’s mobile device.”
Do you see phone companies taking steps to make SMS authentication safer or provide their customers with alternatives?
“The phone companies have a system in place that is currently working and there is no financial incentive for them to correct issues with SMS authentication aside from customers leaving because their provider let an attacker redirect their phone numbers without sufficient authentication of the voice on the other end of the phone. The consumer or their banks are the ones that utilize these systems and are affected financially. Some banks do offer other forms of authentication in addition to SMS and traditional passwords, such as tokens. Ideally to offer some type of “push” or incorporate a biometric element would be better, but right now there are still a large number of customers who either do not possess the proper platform (such as a phone with biometric capability) nor do most banks have the ability to implement it.”