Better Two-Factor Authentication (2FA)
We have required all of our customers to use two-factor authentication (2FA) from day one. In keeping with our security-first philosophy of protecting and educating our customers, we want to provide some background on our 2FA system to encourage our customers to use the Authy app for 2FA rather than SMS, and to dispel some common misconceptions.
Gemini uses the Authy service for 2FA. Authy is an independent cloud service called on to perform secondary verification once we have checked that a customer has provided correct login credentials (i.e., email and password).
Authy offers multiple options for second-factor verification:
- SMS: One-time passcodes (OTPs) are delivered via text message.
- Voice: Similar to SMS, with the codes read aloud by an automated text-to-speech system.
- Mobile application: Users install an app (or Chrome extension), which generates an OTP based on a secret “seed” and current time according to the TOTP standard. TOTP is an open standard implemented by multiple apps including Google Authenticator and the Authy app.
- OneTouch: Pioneered by Duo Push, this model dispenses with codes altogether. Instead users confirm a login by responding to a simple yes/no prompt.
Each of these options comes with different tradeoffs. SMS is simple and can work on any mobile phone including legacy flip-phones that are not “smart” and don’t have an application ecosystem. Voice codes further improve accessibility by allowing codes to be sent to landlines or heard by users who have difficulty with visual information.
TOTP codes generated using an app do not require internet connectivity. TOTP apps can work offline, even if the phone itself has no service (e.g., when a user is outside a service area). OneTouch further improves usability by avoiding the need to transcribe digits from one device to another, but (unlike TOTP) it does require a data connection.
Encouraging Mobile Apps
Gemini has always supported SMS and mobile app options for 2FA. However, in recent interactions with customers, the Gemini support team reached the conclusion that many customers were either not aware of the Authy mobile app, incorrectly viewed SMS as equivalently secure to the Authy app, or were interested in other alternative TOTP apps. We are now actively encouraging all of our customers to install the Authy app. We believe that switching to the Authy app will improve security without any downside to usability for nearly all customers, as discussed below.
At the same time, we recognize there is no one-size-fits-all solution. Customers may have unique requirements which rule out the Authy mobile app, so we will continue to support SMS. However, once you have Authy installed, you will no longer be able to request codes via SMS. We’re doing this to prevent would-be attackers from circumventing the security of the Authy app by falling back to SMS.
Risks Associated with SMS
A 2003 ruling by the Federal Trade Commission (FTC) called for number portability between wireless carriers, which allows consumers to keep their existing phone number when they switch from one wireless carrier to another wireless carrier. Number portability increased competition between wireless carriers by removing one of the major obstacles that prevents consumers from switching to a better plan: the hassle of losing their existing phone number. The FTC ruling made it much easier for consumers to keep their number while switching carriers — too easy, perhaps. Call it the law of unintended consequences: the drive to portability also inadvertently opened the door to number-porting attacks.
Last July, the National Institute of Standards and Technology (NIST) came out with a recommendation to deprecate the use of SMS for 2FA. Almost on cue, the industry experienced an uptick in the incidence of phone number hijacking events. In this type of fraud, a miscreant impersonates the legitimate customer and ports his or her number to a different carrier, pretending to be that person switching carriers. If the attacker is successful in convincing the other carrier to reassign the number to an attacker-controlled device, all voice calls and SMS messages will be routed to the perpetrator. As a result, any 2FA system relying on SMS or voice for delivering one-time passcodes is susceptible to such attacks.
Setting up the Authy Mobile App
Setting up the Authy mobile app eliminates the risks associated with using SMS for 2FA, however, to fully mitigate SMS vulnerabilities you need to make sure you turn off “multi-device” in the Authy app. This prevents the same number-porting attack (mentioned above) from being used to obtain access to your SMS messages to perform an unauthorized install of your Authy account. When it is turned off, no additional instances of the Authy app can be provisioned. We recommend all Gemini customers to keep multi-device disabled, only enabling it temporarily when setting up a new device (for example, when upgrading your phone). If you’re resetting or trading in your phone, we also recommend that you install the Authy desktop app first, so that you can use it to authorize your new phone. We are also working with the Authy team to make the process of switching or upgrading devices easier and more secure for all Gemini customers, regardless of your multi-device settings.
While using a mobile app to generate codes is an improvement, there are other attack vectors that no 2FA solution based on one-time passcodes (OTPs) can solve. For example, sophisticated phishing attacks can ask users to disclose both their password and an OTP code. This type of phishing is more complex because it requires real-time use of compromised credentials. Since OTPs expire after a short time period, it is not possible to stash the stolen credentials for later use. Despite that added complexity, such attacks are not only feasible in principle but they have been observed in the wild against popular 2FA implementations including those used by Google and some large financial services companies.
These risks cannot be addressed by changing how one-time passcodes are generated or delivered. As long as the possibility exists for a user to be tricked into entering codes into the wrong website, phishing remains a viable attack. For these reasons, we are continuing to explore alternative 2FA paradigms such as U2F or Authy OneTouch for Gemini which are based on fundamentally different models. (Case in point: our internal systems for administering the exchange use public-key authentication with hardware tokens based on the PIV standard.) Our priority is to find a solution that combines high security and usability, and is available to our customers across a broad range of platforms.