The post-SS7 future of 2FA

Two weeks ago, German newspaper The Süddeutsche Zeitung reported that attackers had used vulnerabilities in the SS7 network (part of the infrastructure that makes phone calls work, even when you’re roaming) to drain the bank accounts of their victims. The SS7 vulnerabilities have been public for years and were even demonstrated on 60 Minutes last summer. Now, they’ve been exploited in the wild to intercept two-factor authentication (2FA) codes and break into a bank.

Since the report, there has been a fresh wave of news about the problems of using SMS for security, and calling for the end of SMS-based 2FA. But while the security problems are both very real and important, SMS-based 2FA isn’t going anywhere soon and that’s a good thing.

Last year the National Institute of Standards and Technology said it would no longer recommend solutions that used SMS. This also created a press cycle about the downfall of SMS-based 2FA, but actually created a spike of new support for SMS-based 2FA, notably including Instagram.

There are other forms of 2FA that are much more secure than SMS, but security isn’t a single-solution problem. SMS plays the important role of being the easiest form of 2FA to set up, which is why it is also the most widely adopted. Instead of giving a few people bodyguards, it’s like giving most people an extra lock on their door. We shouldn’t ask how to get rid of SMS-based 2FA, we should instead be asking what we need to do to protect the people who are already using it.

Start with SMS, then push further

Account security isn’t defined by a single moment, it’s something that requires consideration of the whole lifetime of an account and the spectrum of potential protections. SMS-based 2FA is stronger than passwords alone and there are more secure forms of 2FA like TOTP (Time-based One Time Passwords) and Push (Google Prompt, Microsoft Authenticator, Yahoo Account Key, Authy OneTouch). Adding SMS-based 2FA should just be the first step in the journey of protecting customers.

Every 2FA SMS should include a link to download an app for 2FA, which also means that apps and websites should support TOTP or Push for the users that want it.

We all need to be educated about the security options that are available to us, and there need to be processes to walk us through better protections for our accounts. We should get regular reminders of the devices and applications that are attached to our account, and recommendations on how to manage them.

SMS-based 2FA is only one part of good account security, but it’s a great first step.

Learn the scary patterns and look out for them

An attacker can use the SS7 vulnerabilities to intercept SMS messages, but they have to make a visible change to the victim’s account in order to do it. Whoever is sending the SMS should do an HLR (Home Location Register) Lookup and raise a red flag when an SS7 attack might be happening. Then the website you’re logging into can check in with you on another channel, like a push notification or emailed link, to make sure it’s really you.

This also works for another major SMS attack, SIM Spoofing, which can be flagged by tracking customer IMSI (International Mobile Subscriber Identity). I’m getting too far into the weeds here, but there are clear patterns that applications sending the SMS can use to increase the security of your account when it’s likely under attack.

If companies treat SMS as a dumb pipe, they won’t notice when someone’s tampering with it. However, with good visibility into the network they’re using, SMS becomes much harder to exploit.

Make sure the message gets to the right place every time

I’m going to try to keep this at a high level, but there are a lot of intricacies of the different carriers and the way they handle SMS messages. For example, Verizon makes SMS messages available in a web portal, which should be disabled for anyone sending 2FA SMS. Carriers have different priorities and preferences for the way messages get sent (short codes, long codes, alpha sender IDs) and these need to be set up to make sure customers get their messages.

For 2FA, the speed and reliability of codes improve adoption of 2FA and make the process less confusing. There are a lot of different routes a message can take between the sender and when it gets to your phone. Some of those routes are slower, cheaper, and less reliable. Others are faster, more expensive, and more reliable. 2FA solutions should be using the premium routes wherever they can.

Finally, when your users are experiencing a security problem, make sure that there’s a clear person for them to contact.

No solution is 100% impenetrable. There will always be bad actors, and even the strongest security will sometimes falter against the most determined of attackers. It’s easy to get lost in our threat modeling about cryptographic systems and forget that if you slip the security guard $20 they’ll look the other way. Protecting online accounts is becoming increasingly important and difficult, and we need to be talking about the benefits and pitfalls for all of the tools we’re using to do it.

There’s no such thing as 100% secure, and the SS7 vulnerabilities are something that anyone relying on SMS should be looking for and taking into account. As a user you should use app-based 2FA anywhere that you can, and turn off SMS. For anyone thinking about implementing 2FA, however, SMS is an important tool and part of a great solution.