Most of the critical transactions today, include SMS-based 2-step verification, in which the authorized organization or the app sends a text message with a code to your phone in order to verify who you say you are. These transactions include – reset/change password, money transactions, etc.
But have we ever stopped to consider how secure this method is? What other authentication methods are? Is SMS authentication the best option of all? Learn more about Integrated Development services
What is 2-factor authentication?
Multifactor authentication combines two or more independent credentials:
- What the user knows (password)
- What the user has (security token)
- What the user is (biometric verification)
The main objective of MFA is to make sure that only authorized persons can access the resources or assets of an organization. If first level authentication gets compromised still there is one more authentication for an attacker to get access to the system. Learn more about Integrated Development services
What is SMS-2-factor authentication?
In SMS-2-factor authentication, ‘what the user knows (password)’ and ‘what the user has (security token)’ - these two factors used. The system asks for username, password and then a one-time passcode is sent to user in text message to verify he or she is the authorized person. Then user enters the passcode and gains access to the system or application. This authentication method is used for first-time login, resetting the password or for doing critical transactions.
SMS-2-factor authentication is popular because it is easy and super convenient for the user. Nowadays everyone has a mobile phone and they always have it on them. They don’t need any new hardware or software. And they don’t have to go through any creepy fingerprinting process. They just need two things, a device (could be a phone) and a sim card.
Dismissed by NIST
The US national institute of standards and technology (NIST), in July 2016, issued guidance that found Multifactor authentication implemented using SMS insecure and no longer suitable for authentication. NIST deprecated SMS multifactor authentication because of its vulnerabilities.
Risks in using SMS 2 factor authentication
Let’s take a look at some of the key vulnerabilities:
- Device (Phone) stolen: Any physical device can be stolen, especially if it is always carried around with them. And unfortunately, the locks on the phone will not be able to secure the passcodes; so thief can access the passcodes without unlocking or breaking the phone. It’s easy to sneak a peek at passcodes sent by SMS if lock-screen notifications are enabled.
- Using trojans installed with apps: There are multiple apps which can access the SMS inbox and read the messages. So, if trojan gets installed on phone, it will access the SMS messages with the help of these apps and send the required passcodes to attacker.
- Intercepting the SMS in transit: SMS messages with passcode can be intercepted through a basic flaw in the SS7 protocol used to transmit the messages. Using SS7 an attacker can wiretap the conversations or track the locations of users based on where the SMS is getting delivered, and read the SMS before it gets delivered to the intended user. Currently in various countries both the intelligence bureau and criminals are actively using unauthorized SS7 access. Having access to SS7, on behalf of some foreign carrier, attackers forward SMS messages sent to the authorized phone numbers to their own phone and get the passcodes they need to complete the transactions.
- Getting same phone number as the victim: Using various underhanded tactics (persuasion, bribery, etc.), hackers can get hold of a new SIM card with the victim’s number from a mobile phone store. SMS messages will then go to this card, and the victim’s phone will be disconnected from the network.
- Phishing for passcodes: In this technique hackers collect the usernames and phone numbers of victims and then try to reset the passwords by requesting for passcodes. When the passcodes are sent to the victim’s phone, hacker sends SMS or makes a voice call and says something like - “Suspicious activity has been detected on your account. Reply with the code sent to your phone in order to prevent unauthorized access.” Now, the hacker has the code and can easily gain access to the account. Download datasheet: Jade Global Oracle Integration and Application Development
Today, most users and organizations rely on SMS-2-factor authentication. Such organizations can try incorporating some practices as below:
- Don’t share the passcodes with anyone, representing him/her as legitimate
- Never share or write down your passwords
- Never select ‘Save password’ or ‘Remember me’ options in apps
- Use antiviruses and take precautions while installing apps
- Change your passwords frequently
Even after following all best practices given above, some users may get attacked by hackers. So, main piece of advice is to avoid using SMS-based one-time passwords whenever possible and consider other multifactor authentication methods such as –
- Authenticator apps – Google authenticator, Microsoft Authenticator, Free OTP, etc.
- Hardware authenticators – YubiKey, USB, Smart Card
- Biometrics – Retina scan, Iris scan, Fingerprint
About Jade Global’s QA Services
Jade Global is a premier Advisory, Integration, Testing, Cloud & Consulting Services, Business Solutions and IT Outsourcing company that services clients across multiple technology platforms. It provides best Quality Assurance and Testing services which can increase the accuracy and productivity through reduction in cost and time. Our Testing Services offer functional, non-functional, and test automation services to ensure your applications are performing optimally. We combine our consulting and testing expertise with appropriate industry-specific testing solutions to address specialized requirements that are at the core of your business. Our Testing Services are a unique combination of traditional and latest services spanning from QA of applications/software/systems to testing under new-generation technologies and platforms.