Skip to main content

Why should we stop using SMS-based two-factor authentication?

 Today, securing an application is challenging as attackers are becoming increasingly sophisticated. A proper authentication system plays a significant role in application security, as, without one, the app’s vulnerability could allow a malicious person to gain unauthorized access. Poorly configured authentication systems and human error are the most common reasons for data breaches. Therefore, to address this issue, the concept of two-factor authentication (2FA) or multifactor authentication is applied.

In addition to user ID and password, 2FA requires users to input a temporary code unique to them to verify their identity. This creates an extra layer of security by adding one more element to the authentication process. If a user’s login credentials are compromised, malicious actors won’t be able to access the resources since they would need to have both the login credentials and the 2FA code. 

One of the most widely used methods of 2FA is an SMS-based code, where the user needs to enter a code sent to them through the SMS service to verify their identity. Almost every mobile device in the world supports a text messaging service, and developers might prefer it based on its simplicity and availability. Adding text-based 2FA on top of simple user ID- and password-based authentication might be safer than not having one, but it is not the most secure way of implementing multifactor authentication. 

So, what makes the SMS service vulnerable, and why is it not considered a secure method of authentication for 2FA? Here are a few vulnerabilities of SMS which make it the most insecure method for two-factor authentication:

SIMJacking
SIMJacking, also referred to as a port-out scam or SIM swap scam, is a type of attack where one would gain access to someone’s phone number by switching the service to another carrier. Port-out is a feature offered to users by their telecommunication companies where a customer can switch to different carriers and keep their current phone number. Usually, carriers require some form of identification before they provide a PIN to port out a phone number. Hackers are using sophisticated social engineering attacks and using publicly available information about a victim to gain access to their phone numbers by switching them to another carrier. After getting control over the phone number, the attacker would be able to gain access to 2FA codes.

Unencrypted protocol
SMS works through the Signaling System No 7 (SS7) protocol, sending clear text that is not encrypted by any encryption protocol. Because of this weakness, it is easy for hackers to intercept information sent via SMS. Since it doesn't use any encryption and the information is transmitted on a radio frequency, SMS is vulnerable to man-in-the-middle attacks, and third parties can get access to 2FA codes sent via SMS if they use the right tools and codex.

Device vulnerability
 SMS security also depends on the receiving device. If the phone is vulnerable, there is a risk of the 2FA code being stolen. SIM cards are also vulnerable to attack where a hacker could monitor all the conversations by installing malware on them.

As mentioned above, SMS-based 2FA is not the best way to implement multifactor authentication because of the multiple risks as described, and there are other better alternatives. Below we discuss two key alternatives to SMS-based authentication.

Hardware-based authentication
Hardware-based authentication uses dedicated physical hardware to generate authentication codes. These devices use time-based codes that expire after a certain time. New codes will be continuously generated based on the configured time. After logging in with a username and password, the user also needs to provide the 2FA code from the device before they are granted access to the application. Since users need to have this device with them physically to get the access code, this eliminates the risk of the code being compromised by an attacker through the internet. 

Software-based authentication
Software-based authentication works similarly to hardware-based, but instead of a physical device, it uses software to generate the 2FA codes. This provides user flexibility as they can install the application on their existing device. Google Authenticator and Microsoft Authenticator are two examples of widely used 2FA applications. Some hardware-based 2FAs also provide software applications that can be used in the same way without the need for hardware. Since the codes are generated locally without information being sent through insecure channels, it is considered more secure than SMS-based 2FA. 

Ultimately, SMS is convenient and easy to use, but it comes with risks when used as part of 2FA. Information sent through an unencrypted channel should never be trusted as secure. Physical devices that generate 2FA codes are much more secure than SMS-based solutions. Software-based 2FA codes provide better flexibility and are a much stronger solution than SMS. Since improper authentication could result in data breaches and losses to organizations, it is critical to select a secure multifactor authentication system.

Comments

Popular posts from this blog

What is Phishing Attack? Understanding Phishing and it's Types

Phishing is a method used by fraudster for stealing valuable personal data from a user. It is generally done by sending emails or creating fake websites. One of the most common attacks that we see on cyberspace is phishing and it is rapidly growing cyber threat. To get the personal information from people attacker send a fraud email to large no. of people and few might fall for the scam. The attacker will ask the victim to provide their sensitive information like credit card information, social security number or username, and password. Phishing is one of the most common cyber-attack it is very easy to do, and it also doesn't require much resources and time. Most of the phishing act are automated and the done in a bulk and they wait for the victim to put their information.  The attacker will create a fake login form, malicious files or personalized message and send the victim to take the action on their email. If it reaches up to the victim, then they might think that the email is

How is Mobile Technology & IoT Devices Affecting IT Security

Technology has changed the way we do business and it has become an essential part of modern commerce. Technology has become the need of every business. Not only they are using technology for marketing their product and providing the better support they are also expanding their presence to the digital world with e-commerce. For communication, business is using latest technologies like VoIP which provide more functionality to the organization and is more easier and faster than traditional communication system. Since every employee needs a computer for their job in the organization, some companies are also promoting Bring Your Own Device (BYOD) on their organization, as it can reduce the cost of buying a new device and increase efficiency since employee are working on their own machine. Although these new technologies have made the job easier and faster they possess several threats to the business. We can see smart IoT devices being installed on the organization to monitor the envi

How to Identify Cryptojacking Malware?

There are several ways to identify the hidden crypto mining malware on our computer. We can either detect and identify that malware manually or by using the third-party antivirus or antimalware tools. These are the few ways to identify the cryptojacking malware on our computer. Monitoring CPU usage If we see unusual CPU usage behavior then our computer might be infected with cryptojacking malware. Usually, there won’t be much CPU usage when the computer is idle. We only see a spike in CPU usage when we are using heavy programs, so if we see high CPU usage on our computer when we are not using any programs on the computer then this might be the result of cryptojacking malware. We can manually monitor the CPU usage of our computer when we open any web browser or open any website. If the CPU usage is increasing when we open any website then there might be cryptojacking code on the website, we can then block those websites from being loaded on our computer. If we see high CPU u