New U.S. Guidelines Could Halt Use of SMS for Two-Factor Authentication

[Rigby]

I actually avoid using apps for 2FA because they severely disrupt my workflow - especially if I'm on desktop. SMS is universal, and to my knowledge no one has shown that there have been compromises using SMS as a 2FA method.

Actually, compromises of SMS are pretty common. It has been used by malware to steal banking one-time codes for years, see e.g.:

http://www.pcworld.com/article/2020...f-malware-stealing-bank-data-sent-by-sms.html
https://blogs.sophos.com/2014/02/05...ntercepts-sms-messages-to-steal-banking-info/

There are also many known cases where bad guys used social engineering to get a carrier to redirect SMS. Here's a recent example:

https://www.engadget.com/2016/06/10/hacker-hijacks-deray-by-redirecting-his-verizon-phone-number/

Finally, some people are starting to use services like Google Voice to receive SMS security codes. Of course, if the Google account gets hacked ...

 

[eoblaed]

Good.

SMS is a piss poor way of doing 2FA and lazy companies need to move towards apps such as google authenticator, authy, e.g.

Then these authenticator apps have to be improved, huge.

Already, I have an unwieldy collection of authenticator apps. It's ok if they're named specifically for the service they're authenticating, but when different services use different 'generic' apps, it's a real pain in the ass trying to remember which authenticator is holding which 2FA key for which service.

 

[konqerror]

That's why it's two-factor - hopefully both factors haven't been compromised.

No, Apple wrecked the second factor. They put in OS X Messages forwarding. So somebody who's compromised my Mac, logs in with a keylogged/saved password, the SMS comes to my phone then to my desktop Messages app, and they log in. I do this all the time, so I don't have to get out my phone.

As an extension, Apple's phone call on desktop feature (along with softphones) ruins voice call authentication.

 

[flaw600]

Apple can send an iMessage.

They'd have to find a service that does that, because the current system does it via text. Also, not all Apple users use iMessage.
[doublepost=1469550740][/doublepost]

Then these authenticator apps have to be improved, huge.

Already, I have an unwieldy collection of authenticator apps. It's ok if they're named specifically for the service they're authenticating, but when different services use different 'generic' apps, it's a real pain in the ass trying to remember which authenticator is holding which 2FA key for which service.

This. If we could have a service that could authenticate for every other service then this would work. But SMS is (at least in the West) universal.
[doublepost=1469550818][/doublepost]

What is the tech term for those Apple 'popups' that are used for authentication on a trusted device? They don't come by SMS, and I supposed I've not thought about them before, but presumably they are more secure than SMS, as device specific, not just phone number (SMS) specific?!

The pop-ups are an in-house solution specifically for Apple devices, but we're talking about the solution where the verification number comes by text.
[doublepost=1469550940][/doublepost]

No big deal. For people with iDevices registered for second factor on their account, the code isn't sent via SMS today anyway. It's sent directly to the iDevice (using which method of transport, I'm not sure; but I know it's not SMS because the code doesn't show up in Messages.)

Actually, this is untrue. You're given the option to send it via SMS, which personally I do (mainly because I don't want to have to go to my mobile device to authenticate my MBP

 

[Rigby]

Then these authenticator apps have to be improved, huge.

Already, I have an unwieldy collection of authenticator apps. It's ok if they're named specifically for the service they're authenticating, but when different services use different 'generic' apps, it's a real pain in the ass trying to remember which authenticator is holding which 2FA key for which service.

It's not really the apps that need to be improved. There are already very good ones out there. Rather, the services need to be pressured to use the established standards (TOTP/RFC 6238 for time-based and HOTP/RFC 4226 for event-based codes) rather than proprietary schemes. Services that require their own branded app are the worst (looking at you, Steam!).

 

[flaw600]

Actually, compromises of SMS are pretty common. It has been used by malware to steal banking one-time codes for years, see e.g.:

http://www.pcworld.com/article/2020...f-malware-stealing-bank-data-sent-by-sms.html
https://blogs.sophos.com/2014/02/05...ntercepts-sms-messages-to-steal-banking-info/

There are also many known cases where bad guys used social engineering to get a carrier to redirect SMS. Here's a recent example:

https://www.engadget.com/2016/06/10/hacker-hijacks-deray-by-redirecting-his-verizon-phone-number/

Finally, some people are starting to use services like Google Voice to receive SMS security codes. Of course, if the Google account gets hacked ...

Fair enough, thanks for the info. I still think that current auth apps are pretty terrible. I want a universal solution, not a piecemeal one.
[doublepost=1469551284][/doublepost]

No, Apple wrecked the second factor. They put in OS X Messages forwarding. So somebody who's compromised my Mac, logs in with a keylogged/saved password, the SMS comes to my phone then to my desktop Messages app, and they log in. I do this all the time, so I don't have to get out my phone.

As an extension, Apple's phone call on desktop feature (along with softphones) ruins voice call authentication.

So then don't set up Continuity if you're worried about that security issue. Continuity isn't even on by default. This isn't disregarding that issue, btw, b/c it's one that I've thought of, but here's something to think about - to do that, a thief would have to take both your mac and your phone since forwarding depends on your phone being nearby (unless you've signed up for a service like AT&T's where location doesn't matter)

 

[avanpelt]

Actually, this is untrue. You're given the option to send it via SMS, which personally I do (mainly because I don't want to have to go to my mobile device to authenticate my MBP

It's not untrue at all. You're given the option of using SMS, as you said. It's an option, but that's not what I was referring to. I was referring to the push notification that's sent directly to the device, which, as far as I know, is not sent via SMS.

Edit: I will modify my original post to make it more clear.

 

[Rigby]

Fair enough, thanks for the info. I still think that current auth apps are pretty terrible. I want a universal solution, not a piecemeal one.

That's exactly what standard TOTP would provide, if some services didn't insist on using proprietary schemes. One app could provide the codes for all services you use. Fortunately many of the big ones like Google, Microsoft, Amazon, Facebook, Dropbox etc. understand that.

 

[WestCoastCommodore]

NIST took money from the NSA to weaken and or push an encryption algorithm that had a dubious seed value which was "suggested" by the NSA. They can take a flying leap.

What? The NIST is a government agency--part of the Department of Commerce. They don't "take money" from anyone other than the federal government (and taxpayers, of course).

 

[ohio.emt]

Source? I talked with a judge about police being able to force phone unlock without a warrant if only TouchID was required, and he said he'd suppress any such evidence as 'fruit of a poisoned tree.' It's still considered search.

It's not about conducting a search without a warrant. Courts have stated that with a search warrant the cops can force you to use your finger to unlock a device. However they can't force you to speak so your not required to give a password.

Edit:
http://9to5mac.com/guides/touch-id-court-case/

 

[SteveW928]

It's not about conducting a search without a warrant. Courts have stated that with a search warrant the cops can force you to use your finger to unlock a device. However they can't force you to speak so your not required to give a password.

Edit:
http://9to5mac.com/guides/touch-id-court-case/

Luckily, for now, I think after some amount of time, you have to put in the password again, right? And, all the court stuff takes time. That might do the trick.

 

[konqerror]

So then don't set up Continuity if you're worried about that security issue. Continuity isn't even on by default.

But I want Messages Continuity, yet many services, Google I think is one, require you to set up a phone. This is why you need NIST to point out it's broken. And SMS continuity doesn't require the phone to be nearby, it talks to the phone over iMessages.

 

[Tech198]

Why doesn't Apple just use what's already out there ? No SMS required... Just Google authentication app on smart phones ..

Oh right,, its a "Google" application... Apple hates using Google services don't they. More and more companies are doing this method over SMS, because its more secure..

But even Google's own Gmail sends a "text" to your phone anyway..

Actually, compromises of SMS are pretty common. It has been used by malware to steal banking one-time codes for years, see e.g.:

http://www.pcworld.com/article/2020...f-malware-stealing-bank-data-sent-by-sms.html
https://blogs.sophos.com/2014/02/05...ntercepts-sms-messages-to-steal-banking-info/

I wouldn't call that a 'hack' per say..

If u user installs malware app and they get targeted from that malware app, that is not a hack..... The user got fooled like anyone could by installing malicious apps. Don't use those apps.

I like the design and of these are "hacks" and the system is broken, but there is a difference between something that is broke, and something "the user had to use to break it." usually by using a different app other than than the default... Once u do that,, anything u do afterwards to say "hey, i got bit" is laughable.

We get fooled so easily.

 

[flaw600]

That's exactly what standard TOTP would provide, if some services didn't insist on using proprietary schemes. One app could provide the codes for all services you use. Fortunately many of the big ones like Google, Microsoft, Amazon, Facebook, Dropbox etc. understand that.

I understand that there's a standard. A standard useless if it's not, well, standard. I'd argue that most services have proprietary schemes, which makes the standard pointless. Moreover, SMS is less disruptive than apps that do use the standard, thanks to Fowarding

 

[ohio.emt]

Luckily, for now, I think after some amount of time, you have to put in the password again, right? And, all the court stuff takes time. That might do the trick.

After not being unlocked for a time or a restart it needs your password. A search warrant could be issued for your property before you are even arrested. Which could lead to them only needing to use your finger to unlock the phone. Also if it's a weekday or a major crime they could get the warrant within the time frame, before a password is required.

 

[flaw600]

But I want Messages Continuity, yet many services, Google I think is one, require you to set up a phone. This is why you need NIST to point out it's broken. And SMS continuity doesn't require the phone to be nearby, it talks to the phone over iMessages.

Untrue, SMS Continuity does require the phone to be nearby - take a look at the documentation on Apple's website. iMessage is not part of Continuity at all. SMS Continuity refers to the 'green bubbles' and that does require the phone be nearby (it no longer requires the devices be on the same wifi network)

 

[SteveW928]

After not being unlocked for a time or a restart it needs your password. A search warrant could be issued for your property before you are even arrested. Which could lead to them only needing to use your finger to unlock the phone. Also if it's a weekday or a major crime they could get the warrant within the time frame, before a password is required.

Hmm, need to be able to set it to like 15 min or something.

 

[Tech198]

I understand that there's a standard. A standard useless if it's not, well, standard. I'd argue that most services have proprietary schemes, which makes the standard pointless. Moreover, SMS is less disruptive than apps that do use the standard, thanks to Fowarding

SMS *is* the default on a mobile phone.. even non smart phone owners can take advantage of 2 factor.

By basically doing something else, u'd be ignoring those that do not yet have a smart phone.

Better needed security, but what can ya do if u need to serve everyone ? u need to support multiple standards.

When it comes to SMS that is not proprietary,, every phone can use it

 

[flaw600]

Why doesn't Apple just use what's already out there ? No SMS required... Just Google authentication app on smart phones ..

Oh right,, its a "Google" application... Apple hates using Google services don't they. More and more companies are doing this method over SMS, because its more secure..

But even Google's own Gmail sends a "text" to your phone anyway..

Um, few companies are using the actual standard. Apple does allow for device-based authentication, they just have SMS as an option for those who don't want to register their devices. If Apple already has device-based authentication, what does using Google Authenticator bring as an advantage?
[doublepost=1469554645][/doublepost]

SMS *is* the default on a mobile phone.. even non smart phone owners can take advantage of 2 factor.

By basically doing something else, u'd be ignoring those that do not yet have a smart phone.

Better needed security, but what can ya do if u need to serve everyone ? u need to support multiple standards.

When it comes to SMS that is not proprietary,, every phone can use it

You clearly didn't understand my post, as I agree with what you've pointed out here.

 

[Rigby]

I understand that there's a standard. A standard useless if it's not, well, standard. I'd argue that most services have proprietary schemes, which makes the standard pointless.

Like I pointed out above, the most popular services such as Google etc. use the standard. I'd say the proprietary ones are the minority.

Moreover, SMS is less disruptive than apps that do use the standard, thanks to Fowarding

Forwarding is exactly what makes them vulnerable.

 

[flaw600]

Hmm, need to be able to set it to like 15 min or something.

I believe that it's currently set to 8 hours, a restart, or a password change. MCR has a good summary of the current situation. Setting it to 15 min. would make TouchID pointless.

 

[Rigby]

Why doesn't Apple just use what's already out there ? No SMS required... Just Google authentication app on smart phones ..

Oh right,, its a "Google" application... Apple hates using Google services don't they. More and more companies are doing this method over SMS, because its more secure..

It's worth repeating that Google Authenticator is *not* based on some proprietary Google service. They use the standard RFC 6238 TOTP codes, same as many other code generator apps. Apple could easily adopt it. In fact, they may already be using it internally for the offline codes that you can generate in the iOS settings if you use the new two-factor scheme (without providing a way to sync your own TOTP app though).

 

[usarioclave]

It's worth repeating that Google Authenticator is *not* based on some proprietary Google service. They use the standard RFC 6238 TOTP codes

Google authenticator is fine, but by design it's not really the same as an SMS. Why?

Google authenticator shows that you had device control at some point in time. SMS shows that you have device control close to now.

I can have google auth on multiple devices, and I can give that device to someone else and they can use it. Doing that isn't as straightforward under SMS (at least before VoIP), since theoretically each phone number is unique.

SMS used to be based on the idea that your phone was your key, and the phone # identified that and showed that you had device control. That boundary is now gone, but it's unclear what can really replace it.

 

[pat500000]

maybe this touch id is sending fingerprint identification info to NSA>

 

[Rigby]

Google authenticator is fine, but by design it's not really the same as an SMS. Why?

Google authenticator shows that you had device control at some point in time. SMS shows that you have device control close to now.

Not really. At most it shows that you have access to the phone service that the number belongs to.

The bad thing about this is that an attacker can, under certain circumstances, gain access to that phone service remotely without ever having access to the legitimate user's device, e.g. by getting the carrier to redirect the number via social engineering or, as you mentioned, hacking an account if it's a VoIP number.

I can have google auth on multiple devices, and I can give that device to someone else and they can use it. Doing that isn't as straightforward under SMS (at least before VoIP), since theoretically each phone number is unique.

The Google Authenticator app does not allow copying the TOTP key to other devices, but I get your point (since other TOTP apps do). In any case the user is in control and can keep the key safe, which is not the case for SMS.

SMS used to be based on the idea that your phone was your key, and the phone # identified that and showed that you had device control. That boundary is now gone, but it's unclear what can really replace it.

I feel much more secure with an offline code generator. The other advantage is of course that it doesn't require being connected, which can be a big advantage especially when traveling internationally.