Mon 13 November 2017


Multi-Factor Authentication, Phones, and SMS

Most implementations of multi-factor authentication (MFA), also known as two-factor authentication (2FA), rely on sending codes via SMS text messages or phone calls. If you are implementing MFA for a product or service, please don’t do this.

Tying MFA to a phone number means your authentication process is now in the hands of external organizations over which you have no control. Specifically: phone companies.

There are a multitude of ways an attacker can compromise phone number-based multi-factor authentication systems:

  • convince phone company to send a “replacement” for a “lost” SIM card
  • exploit vulnerabilities in “SS7” cellular network
  • break into carrier accounts and set up call-forwarding
  • phishing (e.g., password reset man-in-the-middle attack)

With so many ways to bypass phone number-based MFA, there have been many calls for abolishing it. Even the USA National Institute of Standards and Technology (NIST) joined the chorus in a 2016 draft of its Digital Authentication Guideline:

[Out of band verification] using SMS is deprecated, and will no longer be allowed in future releases of this guidance.

(Due to industry lobbying and standards-body politics, that deprecation language was, unfortunately, later removed.)

Plus, what if I don’t want to give out my telephone number to every web site? By tying multi-factor authentication to phone numbers, you’re being told:

“Want to secure your data stored on our system? Sure thing, amigo. We just need you to give us your phone number. For every site you log in to.”

Facebook and Twitter, to pick two prominent examples, said that phone numbers would only be used for MFA and not for marketing purposes. Spoiler alert: they lied.

This privacy intrusion is completely unnecessary.

Multi-factor authentication based on phone numbers hinders privacy and is one of the least secure methods available. If you are implementing MFA, please don’t rely on codes sent via SMS or phone calls.

Users Have Few Choices

Despite its flaws, phone number-based MFA is still the most prevalent method in current use. And as users (not developers), using SMS is better than not using two-factor authentication at all. Even if SMS is the only available option, accounts will be more secure with MFA enabled.

That said, the trend is worrying. Even “new” MFA implementations, such as the Namecheap debacle I reported on previously, offer few best-of-breed options and ultimately still utilize phone numbers as part of their multi-factor authentication process.

When I look at the MFA methods available to me for my financial institutions, health insurance, and other organizations which store valuable data about me, I am appalled at the dearth of truly secure MFA options. Even when I think I’ve finally found a company that gets it right, I find something that wrecks the whole business.

Vanguard on the Vanguard

I’m a big fan of FIDO U2F hardware keys, so I was really excited to see Vanguard add support for them as an additional authentication factor. Then I noticed this:

You must sign up for security codes before you register a security key.

What… what? Why? Oh, riiiiiiight. Because they use SMS-based codes as the fall-back in case you lose your hardware key.

But this makes no sense. What’s the point of having a hardware key if it can be by-passed by the aforementioned insecure SMS-based process? Vanguard customers took to forums and expressed their frustrations in messages like these:

I’m really disappointed that you have to leave SMS on. This doesn’t increase security at all.

Sane Approach

It’s clear that organizations do this to avoid account lock-outs and the associated customer service hassles that result. But it’s the wrong approach. You want to offer SMS codes as an option? Okay, fine. But don’t force users to set up that method. Instead, users should be presented with a number of multi-factor options (preferably good ones) and then encouraged/forced to set up at least two of them. That way, users can choose the methods that work best for them, and organizations don’t have to worry about lock-outs and excessive customer service requests.

What You Can Do

As developers, I think I’ve made it clear what I believe what not to do, and what constitutes MFA best practices. So please… consider that carefully when implementing MFA in your systems.

As users, the best things we can do are:

  • be vocal
  • vote with your feet

Do you have accounts at organizations that use SMS as a second factor? Call them out on Twitter, Facebook, and other social networks. Voice your concerns via their support channels.

If advocacy doesn’t get anywhere, vote with your feet by taking your business and page views somewhere else. Reward the organizations that take the security of your data seriously.

What are you waiting for? Make your voice heard.