New U.S. Guidelines Could Halt Use of SMS for Two-Factor Authentication

[Avenged110]

This better not have any effect on two-step verification because I use that with SMS. If they ever depreciate SMS for that, I guess I'll just go back to using security questions. I hope not. Even if SMS is "not secure," it's still likely better than not using two-step at all.

 

[mtngoatjoe]

While I generally agree, I still think it makes sense to have SMS as an option.

Some of the older generations are the ones most in need of better protection; no matter how much I try to get them to use a password manager my parents are still using 8 characters or less passwords that they can remember, so the same ones for everything; of them one has a smart phone but has never installed any apps, and the other still has a "feature" phone, so SMS is the the best option for them.

So yeah, while I prefer to use Authy where I can (especially because it can do Google Authenticator too, and sync all my codes) I also use a password manager for all sites and services, so I'm not that vulnerable to passwords being leaked anyway.

For those just using a Mac and an iOS device, I recommend using Safari's suggested passwords. You don't need to remember anything, and they sync across your Mac and iOS devices.

The hassle is when you sit down at another computer (like a PC) to try and do something. For those folks, using another password manager might be a good idea.

 

[ziggie216]

I still dont understand the difference between those two. the names alone are confusing

Password - Something you know
Two Factor - Something you have (like a token or in this case, your iPhone)
Two Step - Something is given to you (like SMS code)
Biometrics - Something you are (finger print)

None are secure just by itself. Thats why usually its a combination of two methods.

 

[MacSince1985]

and then, we need to answer mandatory password recovery questions that are very easy to gather like "what city were you born in?" and "what's your mother's maiden name?"

 

[usarioclave]

The other advantage is of course that it doesn't require being connected, which can be a big advantage especially when traveling internationally.

I agree. One big problem with any network-based authentication is you need to be connected. It's obvious, but it's easy to forget as an architect SMS won't work in a lot of data centers since there's no signal in a lot of them.

Security's all about balance anyway. What's appropriate for your user base?

 

[sudo1996]

OOB using SMS is deprecated, and will no longer be allowed in future releases of this guidance.

I don't know if this article has it right. What is OOB? Out-of-band? Does that actually mean using it for two-factor auth? This needs to be verified before everyone freaks out.
[doublepost=1469560780][/doublepost]

Touch ID is already so easy and secure, people should just use that.

How? Apple doesn't provide any authentication service for third parties to use, and there's absolutely no way I am giving out my fingerprint to third-party servers.
[doublepost=1469560819][/doublepost]

Password - Something you know
Two Factor - Something you have (like a token or in this case, your iPhone)
Two Step - Something is given to you (like SMS code)
Biometrics - Something you are (finger print)

None are secure just by itself. Thats why usually its a combination of two methods.

Two factor means both something you have and something you know.

 

[rich1383]

There needs to be a two step authentication any time you talk to carrier customer service.

The reason why SMS two step isn't safe is because your phone number can be re routed without your knowledge. Having said that, does anyone know how to disable iMessage authentication?

Pro Tip: 1password can act as a authenticator app. No need for Google Auth app or Authy.

How, exactly (no idea)? And 1P (which I use) is a paid app/service...

 

[sudo1996]

Good.

SMS is a piss poor way of doing 2FA and lazy companies need to move towards apps such as google authenticator, authy, e.g.

There's still email, which is secure, and everyone has it. Steam two-factor auth uses it.

 

[Rigby]

I still dont understand the difference between those two. the names alone are confusing

Two-factor authentication is typically defined as requiring both something you know and something (physical) you have. Technically, none of the existing smartphone-based authentication systems are true two-factor schemes, since it is always technically possible to transfer the trust to another device with varying degrees of difficulty (e.g. SIMs can be cloned and phone numbers forwarded/redirected, TOTP seed keys can be copied, VoIP accounts can be hacked etc.).

As far as Apple's two-step and two-factor systems are concerned, the main difference is that two-factor is more tightly integrated into their operating systems (both iOS and Mac OS). Otherwise, both of them offer similar methods of delivering the codes (push notifications, SMS, or voice call). Two-step additionally has recovery keys, which are not available in two-factor. Two-factor can generate codes offline in the iOS settings, which is not possible with two-step.

 

[RedBear]

I find it hilarious that so many people are defending SMS-based 2-factor authentication as "good enough". In just the past month I have seen two very large YouTube channels hacked (boogie2988 and LinusTechTips) even though they were both using SMS-based 2FA. How is this possible? Two-factor authentication is supposed to be much more secure. They were with two completely different cell phone companies, but the same ridiculously simple social engineering attack was used successfully in both cases. Someone calls the cell company and says, "Hi, I'm boogie2988, I lost my phone, can you transfer my number to a new phone please?" From there it's a simple process to take over the person's accounts using 2FA, because the SMS verification now goes to the attacker's phone. This simple attack worked even though boogie2988 had already been under attack via this method for weeks and had spoken with Verizon and received specific assurances that they would protect his phone number. LinusTechTips were hacked using the same simple attack on a different cell company. The cell phone companies have shown they are totally incompetent at protecting people's phone numbers from being transferred to an attacker, therefore SMS-based 2FA has been revealed as a total joke. If you're using SMS-based 2FA you would actually be better off not using 2FA at all and just using frequently-changed and randomly-generated long passwords. It is literally safer to NOT use SMS-based 2-factor authentication.

 

[SteveW928]

I believe that it's currently set to 8 hours, a restart, or a password change. MCR has a good summary of the current situation. Setting it to 15 min. would make TouchID pointless.

Good point... maybe that was a bit too paranoid. How about an hour or two? (i.e.: haven't used touch ID within an hour or two.) But, I suppose a user should be able to set it.

The hassle is when you sit down at another computer (like a PC) to try and do something. For those folks, using another password manager might be a good idea.

There's no substitute for a good, cross-platform password manager. EVERYONE should be using one. I like PasswordWallet by Selznick. Just be sure you can control the data file (i.e.: store local if you want, control backup/archival).

and then, we need to answer mandatory password recovery questions that are very easy to gather like "what city were you born in?"...

That's why the answer to those kind of questions is something like: y1jp2y2bND11451L42f7
But, if one isn't aware of that, yea, they are insanely lame. That pretty much undoes any security they have in place if someone is being targeted.

There's still email, which is secure, and everyone has it. Steam two-factor auth uses it.

Email is secure?

 

[konqerror]

Untrue, SMS Continuity does require the phone to be nearby - take a look at the documentation on Apple's website. iMessage is not part of Continuity at all. SMS Continuity refers to the 'green bubbles' and that does require the phone be nearby (it no longer requires the devices be on the same wifi network)

Nope, you're confused again. The feature I am referring to is called "Text Message Forwarding" on the phone. Read the text directly underneath it. "Allow your iPhone text messages to also be sent and received on other devices signed in to your iMessage account." How it works is it tunnels the SMS over iMessage from your phone to your laptop or iPad or whatever. It definitely does not require proximity, I've used it before when I've forgotten my phone at home.

 

[GadgetDon]

It's worth pointing out that the NIST is mostly about people accessing government servers. There's a difference between "You are accessing our sensitive data and it needs to be locked up" and "you are accessing your data and can choose how much protection you want".

SMS works, it's usable by anyone with a mobile phone (even a non-smart phone), and SMS + password is more secure than password alone.

There's two things that would make it more secure. First, as NIST recommends, check that the number really is associated with a cellular carrier as opposed to some sort of VOIP service. Second, work with phone makers (mostly Apple and Google) so text messages that match certain patterns don't get displayed on lock screens.

 

[sudo1996]

From there it's a simple process to take over the person's accounts using 2FA, because the SMS verification now goes to the attacker's phone.

Well, the other problem is that YouTube apparently lets you reset the password just over SMS. The whole point of two-factor auth is that you need both the SMS and the password. If you can reset the password just with SMS, it's pointless.

I'm surprised how dumb the big companies have been with security. You also used to be able to reset an iCloud account's password only by answering security questions that others can know or find out easily, same with Yahoo!. What were they thinking?

 

[Attirex]

I'm from the Government, and I'm here to help.

 

[sudo1996]

Email is secure?

I'll put it this way: It's no less secure than a single password and, in many cases, is as secure as two-factor auth. Emails are encrypted and authenticated from client to server and vice versa via TLS. Server login is also secured with TLS, whether you use IMAP or use an HTTPS web interface. Email service providers can/SHOULD use two-factor auth, as Google and (I think) Apple do. If your email is Gmail... breaking into your email is as hard as breaking into your Google account.

The next level would be end-to-end security, I think. That's when you can't trust the email service. It's not practical to implement it, though.
[doublepost=1469563281][/doublepost]

SMS *is* the default on a mobile phone.. even non smart phone owners can take advantage of 2 factor.

By basically doing something else, u'd be ignoring those that do not yet have a smart phone.

Better needed security, but what can ya do if u need to serve everyone ? u need to support multiple standards.

When it comes to SMS that is not proprietary,, every phone can use it

Email from a secure service provider is the best solution. It's open, it's free, it's secure, and everyone has it. There's no phone number required to use it. Phone number verification is only good for making it hard to mass produce accounts.

 

[jpn]

What is the tech term for those Apple 'popups' that are used for authentication on a trusted device? They don't come by SMS, and I supposed I've not thought about them before, but presumably they are more secure than SMS, as device specific, not just phone number (SMS) specific?!

TOTP

 

[macsrcool1234]

There's still email, which is secure, and everyone has it. Steam two-factor auth uses it.

I would disagree with secure in the fact that email itself requires a password and is accessible from anywhere, defeating the point of the token.

But apps are also much quicker.
[doublepost=1469572765][/doublepost]

Then these authenticator apps have to be improved, huge.

Already, I have an unwieldy collection of authenticator apps. It's ok if they're named specifically for the service they're authenticating, but when different services use different 'generic' apps, it's a real pain in the ass trying to remember which authenticator is holding which 2FA key for which service.

Most use a standard. We can only hope that steam, battle.net, e.g. conform to the same standards using QR codes.
[doublepost=1469572890][/doublepost]

You are assuming that everyone on the planet has a smart phone

You do realize that there are other tokens other than a smartphone, right?

 

[73b]

But how do I use touchID to authenticate a webpage on my laptop?

How? Apple doesn't provide any authentication service for third parties to use, and there's absolutely no way I am giving out my fingerprint to third-party servers.

Apparently I was thinking of something different. On your iPhone some apps request a mobile number to verify but they could use Touch ID instead.

 

[sudo1996]

Apparently I was thinking of something different. On your iPhone some apps request a mobile number to verify but they could use Touch ID instead.

Maybe there is another auth system that uses Touch ID. I just saw the article about Microsoft's thing. Maybe you found apps that use something like that. IDK, I might be wrong.
[doublepost=1469579254][/doublepost]

I would disagree with secure in the fact that email itself requires a password and is accessible from anywhere, defeating the point of the token.

But apps are also much quicker.

Depends on the email service. Modern ones are more secure. I'd use Gmail for that since they'll prevent suspicious logins (e.g. from different countries) without additional verification. But you're right about email in its standard form. It is just another password.

 

[dfelix]

Good riddance IMO.

If you are in a different country, you will never get that SMS delivered. If you are in an "unrecognized" country to begin with, you can't even get that first SMS. It sucks big time.

It's too bad it took hackers to point it out though.

 

[drzow]

It's worth pointing out that the NIST is mostly about people accessing government servers. There's a difference between "You are accessing our sensitive data and it needs to be locked up" and "you are accessing your data and can choose how much protection you want".

This is an important point that I think was completely lost in this article and discussion: NIST publishes best practices. Using SMS for a second-factor is not a best practice. The only place that the NIST guidance holds any weight is within the US Government, and even there unless something is a Federal Information Processing Standard (FIPS), it is only a recommendation. This will have zero effect in how companies like Apple and Google operate.

 

[flaw600]

There's still email, which is secure, and everyone has it. Steam two-factor auth uses it.

No, it's not really secure, if you really think about it. It's arguably less secure than SMS
[doublepost=1469628438][/doublepost]

Nope, you're confused again. The feature I am referring to is called "Text Message Forwarding" on the phone. Read the text directly underneath it. "Allow your iPhone text messages to also be sent and received on other devices signed in to your iMessage account." How it works is it tunnels the SMS over iMessage from your phone to your laptop or iPad or whatever. It definitely does not require proximity, I've used it before when I've forgotten my phone at home.

I know what you're referring to. I mixed up the requirements between Cell calls and Text Fowarding. The former does require proximity, and to my knowledge the initial version of Text Fowarding in iOS 8 did as well (I'd have to go back and look at the 2014 WWDC video but I clearly remember them talking about a proximity requirement).

EDIT: The proximity requirement seems to be a requirement for Handoff for all devices as well as some Continuity featueres with iOS devices running iOS 8.

 

[Andy2k]

If the government convinces you to use TouchID, they can force you to unlock your phone without a PIN.

Really? That's weird because every time I reboot my iPhone. TouchID is disabled until I enter my pin. So I think that nullifies this argument. So if you have a shred of common sense and time before you get arrested. Reboot your phone Also, they can't force you to unlock it without due process. Which I can almost guarantee will take longer than the 48 hours grace period you get from iOS before your pin is required again.

 

[flaw600]

Really? That's weird because every time I reboot my iPhone. TouchID is disabled until I enter my pin. So I think that nullifies this argument. So if you have a shred of common sense and time before you get arrested. Reboot your phone Also, they can't force you to unlock it without due process. Which I can almost guarantee will take longer than the 48 hours grace period you get from iOS before your pin is required again.

Yeah, they can force you to use your finger to unlock the phone, but from what I understand (and I may be wrong), only with a warrant which for most crimes is probably more than 48 hours. Or just restart the phone. Eventually (hopefully) judges will start realizing the effect of compelling fingerprint usage.