2FA via SMS is no longer an acceptable standard: why and what’s the alternative?
April 4, 2018
Jerrod Chong, SVP of Product at Yubico, explains to TEISS why 2 Factor Authentication (2FA) via SMS is no longer an acceptable standard.
We've all been there. Typing in your password online, followed by a "we will send a verification code to your phone" announcement. You receive an SMS with the code. You type it in. Maybe it works. Maybe it doesn't. It's an annoying, fiddly and lengthy process.
But it's in the name of security, so it's worth it. Right?
Not so, says Jerrod Chong of Yubico who highlights the problem with this form of authentication.
Jerrod outlines the following scenario, whereby you've logged onto a website and believed it's the real website, so whatever it's asking you to do – you'll do.
For example, you logon to what you thought was the Google login page, you might look at the IP address which resembles the Google.com URL. The site asks you to login and you happily do so (seeing as you've not done so for 30 days). As you have 2FA , the next step is to receive an SMS. The site instructs you to type in the code once you've received an SMS. You believe its veracity so you comply and type in the code. As you've received the SMS, the hacker is capturing your username and password in real-time and they are entering your credentials in the real Google website. You can see this approach is problematic because the user is duped into thinking it's real.
Another drawback of 2FA is that it's simple to port the real number to a new number. "We've seen this for a while now at scale, you don’t need to be a clever attacker, you just have to be persistent," Jerrod says. As an example, he adds, "If I'm the attacker and I know the victim's phone number, all I have to do is call up the phone company's helpdesk. I'd tell them I've lost my phone and I really need to port my phone number because I need to login to my bank. It's critical as I've got to make this important bank transfer to my mum who's really sick but the bank put up 2FA."
Most people, Jerrod explains, would help the fellow human being on the other side of the phone. "They're going to want to help you and if you've done a really good job of convincing them you need to port the phone number to your new number - they’ll do it."
The 2FA via SMS is only a little speed bump for attackers and is not going to stop them, Jerrod states.
So why not add more steps to the process to tighten up security?
Jerrod thinks this is a bad approach.
The number one complaint about security, Jerrod reveals, is that it adds friction to the user's experience of your service. The number of clicks will turn customers off and they will choose to go elsewhere. "2FA via SMS is not just insecure, it's fundamentally unreliable, and really painful to use," Jerrod adds.
The reverse is obviously true from a security point of view, so there needs to be a balance, Jerrod advises.
So what's the answer?
At Yubico they've been busy developing the Yubikey, a simple and easy to use key (not dissimilar in look to a usb key). Unlike two-factor authentication using SMS, the YubiKey does not require network connectivity or access to a mobile device. The Yubikey is an open standard which is very secure (as strong as they can get) and the user experience is a single gesture operation, making for the winning combination: security and usability.