SMS for 2FA: What Are Your Security Options?
Two-factor authentication is about using something in addition to your username and password for authentication. That “something” falls into three main categories, something you know (i.e. your social security number), something you have (i.e. a cell phone) or something you are (i.e. your fingerprint). Each piece of information used is called a factor, and when combined with your username and password, we perform two-factor authentication (2FA).
Today, most 2FA solutions used on sites like Amazon, Facebook, Twitch and so on use your cell phone as the second factor; they require you use a “one time password” obtained via your phone as part of the 2FA login flow. This one-time password, often called a token, is retyped by the user into the application they are attempting to access. Because this is out-of-band communication, it greatly increases the security of the authentication process. Not only does the person attempting to login need the right username and password, but they need to have the right token. So how do you get this token? There are four main methods:
Four main methods:
- A phone call
- Mobile application
- A separate hardware token
SMS is by far the most common method of delivering the 2FA token to the user. The reason being, SMS is a feature of almost every mobile device, it’s a very easy and fast way to communicate and, with the advent of cloud communications platforms like Twilio, sending the SMS from your application can all be done in software, so there is no huge investment in telecommunications equipment.
Unfortunately, SMS is also the least secure way to deliver the 2FA token. This article explores why SMS isn’t the most secure method, and when it may be an option you cannot do without. Businesses need to consider the risks of using SMS, and counter this with the need for providing a broadly accepted experience for your users. We will also explain how Authy’s 2FA service is designed to allow you to manage this balance.
Problems with using SMS for security
SMS-only authentication has never been the most reliable or secure option, and should be supplemented with other forms of security when possible. Authy has always educated our customers about the weaknesses of SMS, while helping to ensure it’s used in the most secure manner possible. But as always with security, it’s a moving target and a series of recent user attacks and exposed vulnerabilities should entice every business or individual relying solely on SMS for authentication to consider improving their 2FA offering. Following are recent examples:
- The Marcher Banker Malware resurfaced earlier this year, and is now capable of stealing SMS information directly from your device
- In April of 2016, 60 Minutes interviewed the team responsible for discovering the now-famous SS7 global network vulnerability
- In May 2016, a vulnerability was discovered within Qualcomm’s CVE-2016-2060 software package that could allow for remote access of SMS libraries on both Android and iOS devices
- In June 2016, the Chief Technologist of the Federal Trade Commission outlined how her identity was stolen merely through porting her phone number to a new device
Security concerns over the past few months have escalated to the point where the National Institute of Standards and Technology (NIST) has voiced significant concerns about federal agencies relying solely on SMS-based authentication.
The above vulnerabilities, while very real, do require a significant level of effort on the part of the attacker. Yet determined criminals are going to use whatever they can to compromise an account. In addition to being more reliable than password security alone, 2FA via SMS makes it significantly more difficult for attackers to easily gain access. As we’ve seen in high-profile user attacks like the one on CIA Director John Brennan, people will go to extraordinary means, such as impersonating an employee of your cable company, just to glean personal information. So if you’re panicking over your plans to deploy 2FA or have concerns about an existing solution, just remember that 2FA on SMS is still more secure than only using name and password.
Essentially SMS is great for finding out your Uber is arriving, or when your restaurant table is ready. But SMS was never designed to provide a secure way for you to login to your online banking account.
Should you be deploying 2FA via SMS?
Due to the ubiquity of SMS and the fact that nearly every mobile device is SMS capable, we cannot remove SMS entirely from the 2FA landscape—at least, not yet. Security technology must be secure, but it must also be accessible to the people who need it. While 2FA vendors like Authy have added more secure methods to their 2FA services, they often require users to own smartphones that, while very popular, are not ubiquitous. For example populous, emerging markets like China and Brazil have smartphone penetration rates of around thirty to thirty-five percent compared with higher numbers for feature phones that are SMS capable. The percentage of smartphone users will continue to grow, but in the meantime, SMS authentication may still need to be available for feature phone users.
The challenge, therefore, is balancing this need of user accessibility with the need for the most secure solution. Remember, 2FA via SMS is still increasing the security of your user’s accounts over the use of username and passwords alone. But the risk can be significantly reduced by removing SMS 2FA as the default option and reducing the trust we apply. Use SMS for that percent of the population who don’t have a better option and minimize what they are authorized to do, but as often as possible present a more reliable and secure method.
So how do you deliver a secure 2FA solution in your application? First, we recommend not building it yourself. Instead, use a proven cloud 2FA API such as Authy. We then expose to you a range of options on how to secure your user accounts for authentication and authorization flows. Based on the above information, it should be clear that SMS needs to be a last resort and more secure options prioritized when possible.
Let’s jump to the modern day techniques for 2FA and wean ourselves off the use of a one-time passcode (OTP). This mechanism of generating a short, usually numerical, code using cryptography was first designed in the 1980’s. The code is delivered or generated out-of-band and then entered, by the user, into the application they are authenticating with. It is the requirement that the user have this code that is causing us to use SMS in the first place.
In the last year many technology companies, Authy included, have advanced 2FA techniques to leverage the growing network of internet-connected smartphones.Rather than relying on a token being entered during authentication, a push notification is sent to the device. This alerts users that some authentication attempt is taking place. Simply touching the notification reveals an app-based interface that’s very informative and clear about what’s going on. See the image below.
The user then selects either “Approve” or “Deny” to complete the authentication. What’s most different between this and SMS, is that the mobile app has a direct and very secure connection between the device and the Authy 2FA service. Therefore there is no opportunity for compromising the solution via phishing, man-in-the-middle attacks, or privileged infrastructure access. This approach is also the recommendation from industry research groups such as Gartner and Forrester.
With push based 2FA, everything happens almost instantaneously, and the user just presses “Approve” and watches as the application proceeds automatically, with no codes to enter, and no additional application interaction. The user is pleased, and so is your security officer! This is the direction the whole authentication industry is moving in and we are seeing the likes of Google, Yahoo and Microsoft implement this exact approach in addition to offering traditional 2FA via SMS.
The downside to this approach is two-fold. First, it requires the presence of an internet connection to your device and secondly, the device must support the installation of a mobile application. As we mentioned before, there are emerging markets like China and Brazil where not everyone has smartphones, also the availability of internet connections in certain geographic locations is not as reliable as SMS.
Software and hardware tokens
Push notification methods are the ideal experience, but not always viable. So, during the authentication phase, we must provide a fallback to the more traditional approach of asking for on OTP. But how exactly does the user get the token? We can actually generate it entirely in software, without the need for SMS. These software-generated tokens can either be obtained from a hardware device you carry (like the one of the left), or we can run the same software in a mobile app that can be installed on your smartphone. What makes this ideal is that the code can be generated even when the phone has no internet or SMS connectivity—like when you are in a remote location or flying on a plane with no wifi.
Finally, before sending that token over SMS, there is one more option to consider. Verbally delivering the token to the user via a voice call.The user experience here isn’t quite the best: the end user has to answer the phone, wait for the code to be spoken, and then retype rhe code into the application. A lot more work on the user’s part than just responding to a push notification, but there are some security benefits over SMS. Many of the SMS issues are related to capturing the text inflight or via automating the capture of the SMS on the device. With a voice call, it’s a lot harder to capture that token (the number would need to be ported or the SIM swapped). We also require the end user to press a key when receiving the voice call confirming their presence so the code isn’t captured on automated voice mail systems.
Authy avoids SMS by default
There is also a feature in Authy that helps you with making the SMS-or-no-SMS decision. When a user requests a token via the Authy service, by default if we detect the user has already installed the Authy application, we don’t send the SMS and instead generate a push notification prompting the user to get the token by starting the Authy app. This approach is more user-friendly than a non-connected software token/app, and more reliable than SMS.
You don’t need to do anything different in your application, as tokens sent via SMS and tokens generated by the mobile application both validate using the same API call. Authy’s API actually has the ability to override our intelligent behavior, by using our force=true parameter, which you may want to offer if the user is unable to use the mobile application. Letting Authy bypass the need for an SMS—if users have our mobile application installed—is more secure, more reliable, and saves you money!
When you call our API, we return a message saying the SMS request was ignored and we sent the user a push notification which will lead them directly to your application’s token inside the mobile app.
But what if someone physically has the phone?
You may be asking if all of these 2FA options rely on a physical phone, doesn’t security break down if someone is able to steal the phone? Usually we rely on users setting a PIN code for their devices, so if the phone is stolen, they need to know the PIN. But another problem with SMS is that the delivered SMS is often visible revealing the secret token even when the phone is locked. This is proven in the growing problem where identity theft is being performed and criminals are walking away from wireless stores with new phones tied to your account!
If you integrate 2FA into your service with Authy, your users can add multiple devices to their account. This means if they find their phone is stolen or their phone number taken over, they can use another of their trusted devices with the Authy app installed and either change their 2FA phone number or remove stolen devices, thereby preventing the criminal from gaining access to your 2FA codes.
Traditionally, increased security has come with a loss of convenience and ease of use, which has left companies with a hard question: how much security are we willing to relinquish for a pleasant user experience…and vice versa? Fortunately, the trend is changing and with Authy’s OneTouch we are actually improving the security of 2FA while making the user experience easier.
But you cannot place all your 2FA needs on a single option. Users vary and so should your ability to authenticate them. SMS is viable for use with 2FA, and while it’s still far better than just relying on username and password, it’s just the least secure option. Authy’s service allows you to deliver 2FA in the most secure manner, but for high-risk scenarios, SMS is ill advised for 2FA.
Therefore take note of the features in this article and present the most secure and accessible option to your users at the right time. It’s an uncomfortable line to draw and one that we here at Authy are working to erase. SMS may be here for a while as the long tail of technology adoption asserts itself around the globe. We will work with you to find the best and most secure solution for your 2FA needs.