SMS-2FA: Why it’s still more popular than ever
Let me preface this article with the following: SMS-2FA will always be better than single-factor authentication, regardless of the security implications of SMS-2FA.
As an IT professional, I’ve been acutely aware of the issues surrounding the usage of SMS-2FA and the risk that SIMjacking poses. Mainstream Youtube channel Cheddar has recently released a video covering the topic of SIMjacking and its implications in a world where a number meant to identify you is used as a security code.
Although TOTP-2FA and FIDO-U2F protocols are on the rise, SMS-2FA remains popular, and for some services, is still the only 2FA option on offer.
Implications for online banking
As a Quebecker, we have a few mainstream financial institutions on offer. Between Desjardins, TD, Bank of Montreal, ScotiaBank, National Bank, Royal Bank, CIBC, Tangerine, HSBC and a few others that I’m missing.
As of October 2019, only Desjardins, TD, CIBC, HSBC and Tangerine have any form of 2FA, with ScotiaBank offering 2FA elsewhere but not in Canada. The only bank to offer anything else than SMS-2FA is HSBC who offers both a 2FA dongle and 2FA through their mobile app.
Although Tangerine offers SMS-2FA, the only passcode allowed on their website is a passcode with a maximum of six-digits. 6 digits. Your entire life, relying entirely upon these 6 digits and your phone number. My guess is that Tangerine relies entirely on SMS-2FA for security, which is extremely bad if that six-pin passcode gets breached. Even with encryption and salting in the database, short passwords or passcodes are much easier to crack than longer ones.
How can they get away with such a blatant disregard for security hygiene? One word: Insurance. A breach doesn’t matter if it costs them less to insure their assets and money than it does to implement proper security hygiene with TOTP-2FA or FIDO-U2f support (which is very little, but their systems are so ancient nobody really knows).
If someone really wants to get into your bank account, they are one keylogger and one SIMjack away from getting in there.
Implications for social media accounts
Reddit was breached back in 2018 because an employee was using SMS-2FA to secure their access to a VPS hosting part of the site.
Since then, many celebrities, high-profile individuals and corporate accounts were breached. More recently, Twitter CEO Jack Dorsey’s account was hijacked via the platform’s SMS tweeting feature, more than likely as a result of SIMjacking.
As mentioned in the Cheddar video linked above, hijacking of unique social media handles can be lucrative. You should watch the video for more details on the topic.
So… Why is SMS-2FA still popular with users and why isn’t TOTP-2FA popular?
At the end of the day, even with the recent mainstream exposure to the topic, people will still keep using SMS-2FA and companies will continue to only provide SMS-2FA for one simple reason: Convenience.
SMS-2FA is easy and can be interacted with in the same way you interact with all your text messages. It’s like getting a message from a friend. It’s familiar and easy to understand and use. It’s not a separate app, the SMS application is already included with your mobile device. Why look further?
Banks and other sites providing authentication services may not find it financially worthwhile to implement a system that only a fraction of its users will understand how to use.
With all of this said: I put the blame on smartphone manufacturers for not embedding 2FA as part of their operating system. Google, Apple, make it a part of the camera app. Point the device at a TOTP-2FA QR code, add the code to a secure data store on the phone and make it easy for the user to access the feature using biometrics. The more convenient TOTP-2FA becomes, the more mainstream it gets, and in turn, more financial institutions and other corporations will adopt the system.