/ Security

Why SMS Is Awful for Two Factor Authentication, and What You Should Use Instead

Two factor authentication (2FA) is the notion that in addition to authenticating someone with something they know (their password), you also authenticate them with something else, typically something they have (like their phone) or something they are (biometrics).

There are three common methods of two factor authentication for online accounts, listed in increasing security: SMS, TOTP/HTOP (the 6 digit codes created by an app on your phone), and security keys.

SMS

This is the most common and worst form of two factor authentication. Despite its problems, it is still better than nothing: if it is your only option use it. However, if there is another option, use that instead.

The problem with relying on text messages as a 2FA method is that it is not terribly difficult for a criminal to take control of your phone number.[1] Essentially all they have to do is convince your phone carrier they are in fact you, have lost the SIM, and get the number transferred to their SIM. In the post Equifax world, it's not hard to get all the necessary information. Or, if they happen to be in your vicinity, they could actually intercept the SMS as it is sent to you.

To protect yourself against this type of attack, many wireless carriers will let you set a security PIN. However, sometimes customer service representatives don't always follow this procedure, so you shouldn't rely on this entirely.[2]

A more secure approach is to use a VoIP (Voice over Internet Protocol) number from a company that practices good security, such as Google Voice. With a Google Voice number you can send and receive texts, and make phone calls, over the Internet. But more importantly, with Google's security practices the only way an attacker can take control of your phone number is by logging into your Google account - which is harder to attack than your cell phone carrier number - and can be made even tougher to attack by utilizing the other 2FA methods listed below.

Authentication Apps

Authentication apps generate 6 digit codes that change every 30 seconds using a standard called the Time based One Time Password (TOTP). To add 2FA via TOTP to an account, the service will generate a QR code that you can scan with your authentication app (the most common ones being Google Authenticator and Authy). Embedded in this QR code is a shared secret - essentially a second password. The app takes this shared secret and the current time to generate the 6 digit code.

Usually online services that offer this method will also offer backup codes in case you lose your phone. These codes can only be used once.

Security Keys

Security keys, such as the Yubikey made by Yubico , are even more secure than authentication apps. When you use an authentication app, the shared secret is well, exactly that—shared. If the online service accidentally exposes the shared secrets, or if a criminal hacks into the service and steals the shared secrets, he or she can access your account.

Warning: this next paragraph is fairly technical:
On the other hand, with security keys that use the Universal 2nd Factor (U2F) standard, that is not the case. The security key stores a device secret, which never leaves the device. When you register the key with a service, the key uses the URL of the service, the device secret, and a randomly generated number (called a nonce) to generate a private key for the service. It then uses this private key to generate the public key and a cryptographically secure checksum, and sends them along with the nonce to the server. Then, when you log in, the server challenges your security key with a random number, and sends that along with the nonce and checksum to your security key. The security key generates the private key again, and uses the checksum to verify the nonce was in fact the original nonce generated previously. It then signs the challenge with the private key, which the server verifies using the public key.

All that you really need to know is that through the magic of public key cryptography, the U2F standard allows for secure authentication of a user's security key without storing a shared secret. Even if the online service's servers are compromised, any data they steal cannot be used to successfully log into users' accounts.[3].

Of course, a big concern with this method is losing your security key. All online services I've seen that have implemented U2F allow you to register multiple keys. If you're going to use security keys, you should buy at least two of them. I'd recommend keeping one on your keychain for convenience and one at home.

For Yubikeys specifically, there is a NFC version that lets you authenticate services with it on your phone. Unfortunately, this only works with Android because Apple doesn't allow third party apps access to the NFC hardware.

As of this writing, there is still a promotion to get a subscription to the WIRED magazine for $5, plus a free Yubikey 4 (non NFC version). I highly recommend it.


  1. WIRED ↩︎

  2. YouTube ↩︎

  3. This relies on the computational complexity of number factorization. In reality the accounts can be broken into, but by choosing sufficiently large numbers, the time it would take to break into someone's account this way is far longer than our lifetimes ↩︎

Why SMS Is Awful for Two Factor Authentication, and What You Should Use Instead
Share this

Subscribe to Seonwoo's Musings