Don't Use SMS Text Messages for Two Factor Authentication

Don't Use SMS Text Messages for Two Factor Authentication

January 13, 2018

Mobile phone two factor authentication (2FA) - where a mobile phone takes the place of a token and becomes the first factor - something a user has - (the second factor being something a user memorizes - a PIN or password) has serious drawbacks.    Often a passcode of 4-6 digits will be sent to a smart phone via a SMS text message.    Nearly everyone has likely had at least a few experiences with such authentication.    While codes sent via SMS messages will expire after a short fixed time period, SMS messages can also be intercepted.   The National Institute of Standards and Technology (NIST) Special Publication 800-63B on Digital Identity Guidelines highlights one potential vulnerability of sending passcodes via text messages:

 

"If a secret is sent by the verifier to the out-of-band device, the device SHOULD NOT display the authentication secret while it is locked by the owner (i.e., requires an entry of a PIN, passcode, or biometric to view). However, authenticators SHOULD indicate the receipt of an authentication secret on a locked device. "

 

 

The NIST guide further recommends that the SMS messages be sent to pre-registered telephone numbers associated with a specific device and mentions that number porting from one mobile carrier to another poses a potential security threat. 

 

Smart phones also usually provide access to email accounts which are always logged in.   If 2FA is applied to those accounts, SMS verification allows a cell phone thief to bypass the authentication process.   The SIM cards in phones can also be cloned.  

Please reload

Contact Me With Your Litigation Support Questions:

seankevinoshea@hotmail.com

  • Twitter Long Shadow

© 2015 by Sean O'Shea . Proudly created with Wix.com