Text Message Based Two-Factor Authentication is a Weak Form of Security, Choose a More Robust Method of Multi-Factor Authentication Instead

What is Multi Factor Authentication?

NIST defines multi-factor authentication as two or more of something you know, something you have, and something you are. [ 1 ]

Multi-Factor Authentication is not a new method of security, however despite ease of implementation, low cost, and offering a huge step up in security from traditional password authentication, it is still only used by a quarter of Americans. [ 2 ] In fact, many large scale data-breaches can be traced down a lack of multi-factor authentication. Take for example the Democratic National Convention Email hack. [ 3 ] Even simple 2FA could have prevented many recent high-profile data breaches.

However, not all forms of multi-factor authentication are created equal. Systems like RSA SecurID that use physical security keys or generate login tokens are stronger than SMS based MFA. Although, Wardrop was quick mention, SMS MFA is much better than nothing.

SMS based MFA is weak and vulnerable. One method of vulnerability is noted by security researcher and forensic expert Jonathan Zdziarski.

“SMS is just not the best way to do this, it is depending on your mobile phone as a means of authentication [in a way] that can be socially engineered out of your control.” [ 4 ]

Another vulnerability of SMS based MFA was demonstrated in Operation Emmental, banking malware was used to scrape SMS One-time passwords from Android Phones. This is just another example of how SMS based MFA is susceptible to exploitation. [ 5 ]

The U.S. National Institute of Standards and Technology (NIST) has revised its multi-factor authentication security guidelines to discourage SMS based MFA, and encourage the use of more robust MFA alternatives.

More robust methods of multi-factor authentication

In general, systems that use physical security keys such as smart-cards, or generate login tokens through applications are a stronger form of multi-factor authentication than SMS based MFA. U2F is another method for MFA that attempts to strengthen the process of multi-factor authentication using specialized USB or NFC devices. U2F is an open authentication standard that was initially developed by Google, and Yubico, with contributions from NXP semiconductors. U2F is now the open standard hosted by the FIDO Alliance.

However, there are over 200 multi-factor authentication vendors, it can be difficult to choose the correct vendor and method of MFA. Alienvault Inc’s security blog has a detailed post outlining the strengths and weaknesses of different MFA methods. [ 6 ]

References:

[1] http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-63-2.pdf

[2] https://duo.com/blog/state-of-the-auth-experiences-and-perceptions-of-multi-factor-authentication

[3] http://dailycaller.com/2017/01/04/an-18-piece-of-tech-might-have-prevented-a-giant-email-headache-for-john-podesta-dnc/

[4] https://www.wired.com/2016/06/hey-stop-using-texts-two-factor-authentication/

[5] http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-finding-holes-operation-emmental.pdf

[6] https://www.alienvault.com/blogs/security-essentials/is-your-multi-factor-authentication-solution-the-real-thing

About the Author: Louis Powers is an information security consultant at A2 Cybersecurity in Stony Point, New York.

Louis Powers - Medium