2FA using SMS – still the best security for online services

Our identity (in the form of a username or email and password) is brought into play, over and over again, as the gateway to perform an increasing array of functions. Everything is fair game, from business application software to more critical services like online banking.

Recent research from Centrify indicates that over a quarter of us enter a password online more than 10 times a day, or 3,500 to 4,000 times a year. In fact, 42 per cent of respondents in the UK and 37 per cent in the US say they create more than 50 new account profiles a year.

It follows that online identity is a challenge. There is a tendency for users toward simplifying the process by using the same username and password, making it easy for fraudsters to gain access to multiple accounts with a single hack.

Clearly there is a real need to add an additional layer of security or user authentication to a myriad of online services. Combining something you know (e.g. username / password), with something you have (phone, physical token) is significantly more secure as it can’t easily be exploited remotely. As such for years, two-factor authentication (2FA) has been regarded as the answer to the online access headache.

It requires users to use both something they know (like a password) and something they have (like a mobile phone). After a password is entered a second code (usually a randomised number) is sent to the user’s mobile device via an SMS and only after they enter it will a user get access to any given service.

Google’s Gmail, Linkedin, PayPal, Evernote, Dropbox and many others all have two factor authentication built in as a standard feature.

Adding this secondary line of protection is essential, and the best way to do it seemed to be with a one-time passcode sent by SMS. Indeed, as much as 20 per cent of all A2P (application to person) messaging on the CLX network comes from authentication. Banks, social networks and others have clearly found the process effective.

But in 2016 SMS 2FA was held out as fallible. An announcement made by the National Institute of Science and Technology (NIST) in the US noted that it had found flaws in 2FA via SMS messages, and said it was considering these risks and may “deprecate” SMS in future standards.

Specifically NIST was concerned that hackers could exploit flaws in the SS7 protocol that operators use to enable roaming on their networks. In some very sophisticated cases hackers can fool the phone network into thinking a device is on another network allowing for a 2FA SMS to be intercepted.

Theoretically this might be the case but if we peel back a few layers, it’s evident that the risk has been hugely over-exaggerated. In reality, the only people who could repeatedly exploit this SS7 protocol flaw at scale would be rogue employees inside a carrier that operates a GSM network – the equivalent of a Facebook staffer accessing your Facebook account.

Many critics of SMS for 2FA ignore the real weaknesses of SS7 and instead cite examples SIM Swap incidents whereby the attacker convinces a carrier to provide a replacement SIM card or to port a number to another carrier as evidence that SMS should not be used for 2FA. Even though these exploits are very real, they are not weaknesses or SMS but rather weaknesses of business processes and controls. Carriers are not the only companies who suffer from these weaknesses, and there are many examples of social engineering being used to access domain name registrars, email providers, and social media accounts to name but a few.

The reaction against SMS ignores the fact that it is generally safe and – most important – users are habituated to it because it is convenient and ubiquitous.

Moreover, it’s important to be realistic and offer the best possible security that people will actually adopt. In other words, there’s always a balance between security and ease of use. In this respect for the vast majority of online services, 2FA SMS is the best option we have. When looking at realistic alternatives to SMS such as ‘Time-based One-time Password’ (TOTP) apps, the evidence seems to be clear that getting a normal non-technical user to download a different app for each online service is very unlikely, and as such the alternative is a retrograde step to the username and password system.

Rather than deprecate SMS as a security standard, the solution should be to fix the known SS7 vulnerabilities rather than to prevent the use of SMS for 2FA. This is something that many operators are doing by installing SS7 firewalls to mitigate against these and other risks like grey routing.

While it’s always possible to close loopholes in a system, it’s much harder to reduce people’s tendency to be ‘taken in’. It’s a fact that it is social engineering – and not technical hacks – that is behind most attacks. Criminals persuading a network call centre agent to deactivate or port the original SIM, and provide a new one. Or phishing users with a spoof text message or email with the aim of tricking the consumer into disclosing personal data such as bank details or passwords for online services by masquerading as a brand that the consumer is familiar with (like their bank). In recent CLX MEF consumer research for example, we found that 33 per cent of mobile users have received a phishing message in the last year. Carriers will need to tighten controls to ensure these exploits are eradicated as these issues go beyond SMS and 2FA.

It is in fact two-factor authentication that can help to reduce these attacks, because it makes access so much more complex than merely trying to gain someone’s username or password. First published by CLX Communications