Why 2FA SMS is a Bad Idea

Why 2FA SMS is a Bad Idea

Editorial: This post was last updated 13th, 2022.

What is 2FA?

Two-factor authentication (2FA) offers a second layer of security to help protect an account from brute force, phishing, and social engineering attacks.

2FA requires an extra step for a user to prove their identity, which reduces the chance of a bad actor gaining access to their account or data. And since notifications are sent to verify the initial authentication via username and passwords, it also gives users and business the ability to monitor for potential indicators of a compromise.

One of the most common methods of 2FA is SMS text messages. The problem is that SMS is not a secure medium. Hackers have several tools in their arsenal that can intercept, phish, and spoof SMS. Despite this security flaw and better options for authentication, SMS-based 2FA is still used by several institutions.

How do hackers intercept SMS?

It is a great idea to add 2FA to any application to increase security. Password attacks are becoming more sophisticated, and even complex passwords can be cracked. Requiring further authentication for any login ensures better protection.

But after taking that extra security step, why use an insecure form of communication for that extra verification? After all, SMS messages are based on telephone networks. The first hackers were a bunch of folks who were finding cool ways to get around phone networks. Intercepting SMS is old hat to many hackers.

And, as Daniel Cid points out, it’s not just the phone networks, but phone companies that are bad at security.

Your voicemail is protected by only a 4-digit PIN. And on most carriers you can access your voicemail remotely.

Easy to phish. If you know some basic information about the person, you can get the PIN changed.

Easy to spoof. It is very easy to spoof an SMS message. There is no SSL or certificate to verify where it really came from.

Spoofing may actually be combined with phishing to gain access. This process allows hackers to falsify a message to appear like it’s coming from a legitimate source. The message will alert the victim that they need to reply with the security code. At the same time, the hacker will trigger a login 2FA request. If the victim replies with that code, the hacker can use it to gain access.

But following the best practices to prevent phishing isn’t enough to make SMS authentication secure. As Daniel noted, a hacker with basic information about the victim can get a PIN changed. And unfortunately, you can’t control phishing at the phone company.

The same method of social engineering can also be used to swap SIM information for a phone number. A hacker can pretend to be the victim and activate a new phone on the number. Before the victim notices, the hacker will already have breached the 2FA.

While this process may seem convoluted, it is surprisingly effective. For example, CloudFlare was breached using a similar method. Their phone provider, AT&T, was tricked into redirecting their voicemail and access to their email was gained through a 2FA account recovery process. If it can happen to an industry leader in cybersecurity, it can happen to anymore.

Hackers can also swap SIM information through a Remote Desktop Protocol (RDP). These attacks still need social engineering to get the RDP program installed. As Joseph Cox reported in Vice in January 2019, hackers had no problem gaining remote access to phone company systems. One even went as far as calling some employees and managers “brain dead.”

Because of this, weak 2FA is in some ways worse than no 2FA at all. In the case where SMS- or phone-based authentication is the only option offered by a service, it’s actually safer to skip 2FA. A good password policy will be the best option in this case.

So, how to enable 2fa then?

To prevent brute force and other attacks targeting password-only authentication, some form of 2FA is needed. The good news is that there are multiple secure alternatives to SMS-based 2FA. Implementing one of these options will help keep your accounts safe from bad actors.

1. Hardware authentication

Hardware authentication relies on a dedicated physical device to grant access. Along with their password, users will also have to input a random token code generated by the device. Logins will fail without the code. Providers of hardware authentication include RSA SecurID and Thales SafeNet.

The physical nature of this method does have the potential for devices to be lost and stolen. But it does address many of the security issues inherent to SMS-based 2FA.

2. Software authentication

Software authentication is essentially the same principle as hardware authentication. But instead of requiring a physical device, token codes are generated with a mobile application. The most popular authentication app is Google Authenticator, but there are many options. For example, RSA now offers their SecurID authenticator as an app.

It may seem counterintuitive to recommend authentication based on a mobile device. But the software is not relying on SMS or the phone network for authentication, eliminating the inherent flaws in SMS-based 2FA.

3. IP-based authentication

This method checks the user’s IP address when logging in. You can block access to specific IP addresses suspected to be malicious, or simply only allow logins from known IP addresses and ranges. IP-based authentication can be used in conjunction with other forms to add another layer of protection.

Is SMS 2fa secure?

Phones and text messages simply weren’t designed with security in mind. Relying on SMS for authentication actually causes a larger problem than what it’s meant to solve. But SMS still remains a very popular 2FA method despite these issues.

In short: If a more secure option for 2FA is available, it is best to take it.

While stronger 2FA options are recommended, they are not a replacement for a good password strategy. Think about it like you would your home: A strong deadbolt on the front is great, but it won’t matter if you leave the key under the mat.

If you are interested in cybersecurity content, sign up to receive information about current security issues, vulnerabilities, and exploits.

You May Also Like