Most critical transactions today include SMS-based 2-step verification, in which the authorized organization or the app sends a text message with a code to your phone to verify who you say you are. These transactions include – resetting/changing passwords, money transactions, etc.
But have we ever stopped to consider how secure this method is? What other authentication methods? Is the SMS authentication solution the best option of all? Learn more about Integrated Development services
What is 2-factor authentication?
Multifactor authentication combines two or more independent credentials:
- What the user knows (password)
- What the user has (security token)
- What the user is (biometric verification)
The main objective of MFA is to ensure that only authorized persons can access the resources or assets of an organization. If first-level authentication gets compromised, there is one more authentication for an attacker to access the system. Learn more about Integrated Development services
What is SMS-2-factor authentication?
In SMS-2-factor authentication, ‘what the user knows (password)’ and ‘what the user has (security token)’ - these two factors used. The system asks for a username and password, and then a one-time passcode is sent to the user in a text message to verify they are the authorized person. Then the user enters the passcode and gains access to the system or application. This authentication method is used for first-time login, resetting passwords, or critical transactions.
SMS-2-factor authentication is popular because it is easy and super convenient for the user. Nowadays, everyone has a mobile phone, and they always have it on them. They don’t need any new hardware or software. And they don’t have to go through any creepy fingerprinting process. They need two things, a device (could be a phone) and a sim card.
Dismissed by NIST
The US national institute of standards and technology (NIST), in July 2016, issued guidance that found Multifactor authentication implemented using SMS insecure and no longer suitable for authentication. NIST deprecated SMS multifactor authentication because of its vulnerabilities.
Risks in using SMS 2-factor authentication
Let’s take a look at some of the key vulnerabilities:
- Device (Phone) stolen: Any physical device can be stolen, especially if it is always carried around with them. And unfortunately, the locks on the phone will not be able to secure the passcodes, so a thief can access the passcodes without unlocking or breaking the phone. It’s easy to sneak a peek at passcodes sent by SMS if lock-screen notifications are enabled.
- Using trojans installed with apps: Multiple apps can access the SMS inbox and read the messages. So, if a trojan gets installed on the phone, it will access the SMS messages with the help of these apps and send the required passcodes to an attacker.
- Intercepting the SMS in transit: SMS messages with the passcode can be intercepted through a basic flaw in the SS7 protocol used to transmit the messages. Using SS7, an attacker can wiretap the conversations or track the locations of users based on where the SMS is getting delivered and read the SMS before it gets delivered to the intended user. Currently, the intelligence bureau and criminals are actively using unauthorized SS7 access in various countries. Having access to SS7, on behalf of some foreign carriers, attackers forward SMS messages sent to the authorized phone numbers to their phones and get the passcodes they need to complete the transactions.
- Getting the same phone number as the victim: Using various underhanded tactics (persuasion, bribery, etc.), hackers can get a new SIM card with the victim’s number from a mobile phone store. SMS messages will then go to this card, and the victim’s phone will be disconnected from the network.
- Phishing for passcodes: In this technique, hackers collect victims’ usernames and phone numbers and then try to reset the passwords by requesting passcodes. When the passcodes are sent to the victim’s phone, the hacker sends SMS or makes a voice call and says, “Suspicious activity has been detected on your account. Reply with the code sent to your phone to prevent unauthorized access.” Now, the hacker has the code and can easily access the account. Download datasheet: Jade Global Oracle Integration and Application Development
Today, most users and organizations rely on SMS-2-factor authentication. Such organizations can try incorporating some practices as below:
- Don’t share the passcodes with anyone, representing them as legitimate
- Never share or write down your passwords
- Never select the ‘Save password’ or ‘Remember me’ options in apps
- Use antiviruses and take precautions while installing apps
- Change your passwords frequently
Even after following all the best practices given above, hackers may attack some users. So, the main piece of advice is to avoid using SMS-based one-time passwords whenever possible and consider other multifactor authentication methods such as –
- Authenticator apps – Google Authenticator, Microsoft Authenticator, Free OTP, etc.
- Hardware authenticators – YubiKey, USB, Smart Card
- Biometrics – Retina scan, Iris scan, Fingerprint
About Jade Global’s QA Services
Jade Global is a premier Advisory, Integration, Testing, Cloud & Consulting Services, Business Solutions, and IT Outsourcing company that services clients across multiple technology platforms. It provides the best Quality Assurance and Testing services, which can increase accuracy and productivity through a reduction in cost and time. Our Testing Services offer functional, non-functional, and test automation services to ensure your applications perform optimally. We combine our consulting and testing expertise with appropriate industry-specific testing solutions to address specialized requirements at your business’s core. Our Testing Services are a unique combination of traditional and the latest services spanning from QA of applications/software/systems to testing under new-generation technologies and platforms.