Should 2-factor authentication using SMS be deprecated?

Bruce Schenier talks about this issue here.

To quote the article.

Here are two new active attacks we're starting to see:

  • Man-in-the-Middle attack. An attacker puts up a fake bank website and entices user to that website. User types in his password, and the attacker in turn uses it to access the bank's real website. Done right, the user will never realize that he isn't at the bank's website. Then the attacker either disconnects the user and makes any fraudulent transactions he wants, or passes along the user's banking transactions while making his own transactions at the same time.
  • Trojan attack. Attacker gets Trojan installed on user's computer. When user logs into his bank's website, the attacker piggybacks on that session via the Trojan to make any fraudulent transaction he wants.

See how two-factor authentication doesn't solve anything? In the first case, the attacker can pass the ever-changing part of the password to the bank along with the never-changing part. And in the second case, the attacker is relying on the user to log in.

The problem with 2fa is that the password and the otp are both sniffed. Or just the password is sniffed and then the user taps the 'tap here to login' prompt. Either one allows the attacker in.

As mentioned by defalt. The proper way to authenticate a user (mathematically speaking) is to use strong mutual authentication like how yubikey's security key does.


1) What is a foreseeable future - is it going to happen, that worldwide GSM providers will soon fix all the vulnerabilities and upgrade the technologies easily? And if they don't plan this, then what should we do?

Things take a very long time to change because of lock-in . Ipv4 was predicted to be dead by 2010. In 2019 ipv6 usage is about 25%. Rolling codes were created back in the 1980s but fixed code systems are still around in 2019. So sms will stick around for a long time to come.

The best thing you can do is utilize the strongest authentication that a website has available. There's not much an individual user can do beyond that. It's really up to the website to implement strong authentication.

2) What is a foreseeable future of internet - does GOOGLE, BANKS and all others tend to deprecate SMS authentication soon, or that's not gonna happen, and we are will be still sticked with #1 problem?

Google and Yubico are working hard on upgrading user authentication for the internet in 2 ways. 1. delivering hardware based tokens and 2. making it easy for web servers to implement webauthn. These 2 ways are really just different sides of the same coin.

3) And as a last note, of course,in our reality, 2 step auhorization(SMS based) increases security from most of hackers(i.e. in case our passwords are stolen) , but the reality turnes out to be, user who uses 2-step sms authorization (or, doesn't use 2step, but has entered own mobile number in his profile, as a recovery method) has increased security threat - for example,when hacker doesnt know your password, but is capable to hack sms (as opposed to the first category of hackers, when you have increased security instead). Quite a problematic dilemma.

A chain is only as strong as it's weakest link. If it's easier to hack someone's account directly or by "recovering" the account. The attacker doesn't care. A website needs a strong primary way of authenticating it's users, and if it chooses to implement recovery. That needs to be secure too.

Tags:

Sms

Phone