New U.S. Guidelines Could Halt Use of SMS for Two-Factor Authentication

[BMcCoy]

Apple's implementation does not use SMS - please correct the article. If it were SMS, it'd appear as a green text in iMessage, rather than the popup that does happen

What is the tech term for those Apple 'popups' that are used for authentication on a trusted device? They don't come by SMS, and I supposed I've not thought about them before, but presumably they are more secure than SMS, as device specific, not just phone number (SMS) specific?!

 

[thisisnotmyname]

There have been public-private key encryption standards for SMS messages going back twenty years. Not a single carrier has implemented in on their network. Implement that and you can use SMS messages to verify without compromise.

My thoughts as well, in an ideal world I'd prefer the carriers fix the underlying routing issues, we're treating a symptom. I'm also realistic though and understand that won't occur any time soon so this guidance is then important. Well, important for the handful of people that are attractive enough as targets that someone would go through the trouble to obtain their message.

On the other end of the spectrum I'm finding it annoying that every service these days wants a mobile number to create a new account. Sometimes I just want a throw-away account and don't want you to have my phone number. This is becoming even more painful now that the big players are following the guidance of disallowing VoIP so none of the free SMS tools on the internet work.

 

[madsci954]

Pro Tip: 1password can act as a authenticator app. No need for Google Auth app or Authy.

Adding to this pro tip, if you have an Apple Watch and the 1password app on it, you can access your temporary codes via the Watch.

 

[avanpelt]

No big deal. For people with iDevices that are trusted for second factor on their account, the code doesn't have to be sent via SMS today anyway. It can be sent directly to a trusted iDevice (using which method of transport, I'm not sure; but I know it's not SMS because the code doesn't show up in Messages.) Just don't use the SMS option. Opt to send the code directly to the device itself via a push notification.

 

[haravikk]

Good.

SMS is a piss poor way of doing 2FA and lazy companies need to move towards apps such as google authenticator, authy, e.g.

While I generally agree, I still think it makes sense to have SMS as an option.

Some of the older generations are the ones most in need of better protection; no matter how much I try to get them to use a password manager my parents are still using 8 characters or less passwords that they can remember, so the same ones for everything; of them one has a smart phone but has never installed any apps, and the other still has a "feature" phone, so SMS is the the best option for them.

So yeah, while I prefer to use Authy where I can (especially because it can do Google Authenticator too, and sync all my codes) I also use a password manager for all sites and services, so I'm not that vulnerable to passwords being leaked anyway.

 

[wigby]

I thought our government was trying to weaken security so they can access our phones. Who at NIST made this mistake of proposing a verification process that was more secure? Probably fired by the end of the week.

They also choose iPhones for the US Army because of their security. Government is so kooky.

 

[lederermc]

If the government convinces you to use TouchID, they can force you to unlock your phone without a PIN.

Apple could implement a future that disables Touch-ID if a specific finger (user's choice) is used to try to unlock. e.g. the right-thumb disables and left pinky unlocks... for that matter: right-index wipes.
[doublepost=1469543256][/doublepost]How secure is the Google Authenticator? I've heard the RSA "decoder" flops were hacked. Google, Amazon and Outlooks use this and is relatively easy to use.

 

[SteveW928]

Good.

SMS is a piss poor way of doing 2FA and lazy companies need to move towards apps such as google authenticator, authy, e.g.

No kidding... SMS is just piss poor to begin with. Why not add fax or smoke-signal-generators to our smart phones, too?

That said, many services/companies are still using 'security questions' which for most, kind of undoes any security anyway. (i.e.: only people who understand security will answer them with random strings, which they store in their password managers... which if people used in the first place would make things pretty secure to begin with)

And, then there's Apple, popping up the main account login dialogs often and all over the place, pretty much training users to be phished (instead of having ONE location in main settings to enter it, and NEVER asking for it outside of that).

So, security is only as good as those bone-headed moves anyway, for the most part.

While I generally agree, I still think it makes sense to have SMS as an option.

Some of the older generations are the ones most in need of better protection; no matter how much I try to get them to use a password manager my parents are still using 8 characters or less passwords...

You can't get your parents to use a password manager, but CAN get them to use 2FA? How did you do that? It seems if you're going to go through a bit of education effort anyway, a password manager makes things WAY easier, where as 2FA adds a good bit of complexity/work.
[doublepost=1469543393][/doublepost]

They also choose iPhones for the US Army because of their security. Government is so kooky.

Or, they know something we don't.

 

[Rigby]

While it may not be perfect, the suggestion everyone should use an app eliminates any two factor authentication for small companies /developers who may not have those resources starting out.

That's what standards are for. There are already plenty of apps for standard TOTP codes, no need for any developer to re-invent the wheel.

 

[Agilis]

So, are we talking about 2-factor authorization that seems to be employed by many companies during the registration process? Or are we talking about the 2FA that can be enabled on services, such as Twitter, where you cannot login without a second form of identification? Because I'm okay with the first use, the second use I am not okay with.

 

[Arcus]

NIST took money from the NSA to weaken and or push an encryption algorithm that had a dubious seed value which was "suggested" by the NSA. They can take a flying leap.

 

[Rigby]

No big deal. For people with iDevices registered for second factor on their account, the code isn't sent via SMS today anyway. It's sent directly to the iDevice (using which method of transport, I'm not sure; but I know it's not SMS because the code doesn't show up in Messages.)

It uses push notifications by default, but you can optionally get the codes delivered by SMS as well (just click "didn't get the code" e.g. on iCloud.com), so Apple's system is just as vulnerable as others that use SMS.

 

[EricTheHalfBee]

But how do you setup a trusted device? To have a trusted device you first have to go through this process on that device.

I did it on my PC at appleid.apple.com. Before you can access the security tab to edit anything on your account you have to answer security questions (if you don't already have 2FA activated). You turn on Find My iPhone of the device you want to use then select it from your list of devices. You get a code on your iPhone which you enter into the browser and it activates the device to be trusted.

I've never actually done this from a device, but I suppose it's possible. Just much easier to do on a PC or Mac so you don't have to use your device while waiting for codes to show up on that device.

 

[usarioclave]

There are levels of security that are acceptable.

Is SMS better than email?
Is SMS better than a phone call?
Is SMS better than a fax?
Is SMS better than a post-it note?
Is SMS better than an encrypted file?

What NIST is doing is silly. They'll never be able to guarantee that the delivery chain is secure because it's outside of their scope. When a message goes out via a given communication path there's no way at all for anyone to really guarantee that the path is secure unless the company in question controls the end-to-end infrastructure. And even then there's no guarantee, because mistakes can be made.

That's why it's two-factor - hopefully both factors haven't been compromised.

 

[flyingspur]

There needs to be a two step authentication any time you talk to carrier customer service.

The reason why SMS two step isn't safe is because your phone number can be re routed without your knowledge. Having said that, does anyone know how to disable iMessage authentication?

Pro Tip: 1password can act as a authenticator app. No need for Google Auth app or Authy.

For anyone interested, 1Passwords TOTP here. Notice last section too, "If you really want true 2 factor"

Switching from Google Authenticator to 1Password TOTP here.

 

[mfm77]

Recommendations for a solid authenticator app?

 

[Primejimbo]

Apple's implementation does not use SMS - please correct the article. If it were SMS, it'd appear as a green text in iMessage, rather than the popup that does happen.

But more importantly, while the article rightly points out that SMS can be spoofed or intercepted, it completely ignores the question of 'is it secure enough'? For nuclear launch codes, no, agree it's not. But for securing a gmail account? It's the best option available at the moment.

Yes they do, as a back up

 

[mr.bee]

This is regarding authentication on WhatsApp or Telegram. The condition for these apps to work is to sync your phone to your account and that is indeed wrong.

 

[ocabj]

I use Duo Security's iOS app for TOTP and Yubikeys for backups (alternatives).

I do like Duo because I use the Duo integrations to set MFA for my own servers and services (e.g. 2-factor to ssh into my VPS'es, Wordpress site, etc).

 

[Rigby]

Recommendations for a solid authenticator app?

You can find some recommendations in this current thread:

https://forums.macrumors.com/thread...ith-touch-id-and-apple-watch-support.1984590/

 

[alwaysbeincontact]

I love the two step autho, especially wearing an apple watch, its a great feature for added security.

 

[flaw600]

Good.

SMS is a piss poor way of doing 2FA and lazy companies need to move towards apps such as google authenticator, authy, e.g.

I actually avoid using apps for 2FA because they severely disrupt my workflow - especially if I'm on desktop. SMS is universal, and to my knowledge no one has shown that there have been compromises using SMS as a 2FA method.

 

[gorbag42]

If the government convinces you to use TouchID, they can force you to unlock your phone without a PIN.

Source? I talked with a judge about police being able to force phone unlock without a warrant if only TouchID was required, and he said he'd suppress any such evidence as 'fruit of a poisoned tree.' It's still considered search.

 

[SteveW928]

Source? I talked with a judge about police being able to force phone unlock without a warrant if only TouchID was required, and he said he'd suppress any such evidence as 'fruit of a poisoned tree.' It's still considered search.

At the moment...

 

[nt5672]

My thoughts as well, in an ideal world I'd prefer the carriers fix the underlying routing issues, we're treating a symptom. . . . . .

A symptom that works really well for NSA, FBI, IRS, military, etc. Not so much for us regular humans that want to be free.