The Less Considered Perils of SMS Two-step Authentication
26th October, 2018 | Infrastructure | Entropic
In previous articles, we have discussed different types of two-factor authentication (2FA) that are offered by Internet and social media companies to provide additional sign-in protection for your account.
The well established SMS-based 2FA option has been the primary choice for thousands of companies, including financial institutions - many of whom appear to be locked in to offering only this one type of 2FA sign-in protection.
Additionally, many of these companies have either forced or are planning to force their customers to migrate to this type of account protection under the assumption that this approach is the greater good for protecting their customer's accounts.
But without understanding all of the options, forcing a single approach for 2FA account protection, will only solidify a new playbook of problems, vulnerabilities and exploits.
SMS 2FA has come into question due to issues such as SIM-card hijacking, cellular network vulnerabilities that empower monitoring, and more recently incidents of companies abusing the phone number you entrust to them during 2FA setup, by using it for other purposes such as advertising.
The Less Considered Problem
The less-considered problem of enabling SMS-based 2FA for account protection is that it is heavily dependent on established cellular network infrastructure. If you live in an area that typically experiences few infrastructure "outages", you might ask why we should worry about this?
Relying on the existence of an additional single point of failure, even a well established telecommunications infrastructure thats used to send you SMS codes before you can access your stocks, banking details, or e-mail, is a precarious approach to protecting your account. By experiencing one outage when you least need it, you quickly realize how fallible this system is, and how it could snowball into a major problem, given a widespread emergency situation.
Your cellular network coverage can be can be affected by several different types of events, some of which you might not have considered. Lets go through a few scenarios:
- Infrastructure Outages - Induced by events such as hurricanes, typhoons, earthquakes, cyber attacks, and terrorist attacks that physically disrupt cellular network infrastructure, can prevent you from receiving SMS text messages to access your account.
- Infrastructure Operating at Reduced Capacity - Caused by power outages that affect cellular towers, or excessive phone calls caused by large numbers of people calling each other after a major earthquake, can choke the cellular network infrastructure effectively preventing you from receiving SMS text messages.
- Infrastructure that is Unreliable - If you live in a remote area, you might be on the "edge" of a cellular network. This means that things like varying levels of power output and environmental fluctuations can affect whether or not you have a signal. If you are traveling overseas, you are reliant on that countries cellular infrastructure, which might either be glitchy, or prioritizing their local customers over foreign customers.
- Traveling Overseas - Traveling domestically or internationally to regions where your provider simply does not provide coverage, can cause you to lose access to your accounts until you return home. Further to this, by attempting to call your account provider to disable SMS 2FA while traveling, you can trip their Red Flag Rules because of your physical location, resulting in loss of account access until you return home.
- Account Disruption/Termination - A disruption or termination of your cellular provider account for any reason can prevent you from receiving text messages needed to access your account. One chicken & egg scenario - you need to transfer funds to pay your cell phone bill, but alas you can't access your account because you haven't paid your cell phone bill.
One can argue that it's usually possible to contact your account provider in some way to override the 2FA, but using the same arguments above, that may not be possible. While Internet infrastructure is more likely to be available in an emergency, given all of the methods in which it is delivered to different regions, other cellular network infrastructure used to deliver traditional SMS messages, is not delivered in so many diverse forms.
Eliminate the Central Point of Failure
Companies that offer and enforce 2FA to their customers need to prioritize newer, established methods of two-factor authentication, such as authenticator app, security keys, and card-based systems that don't have single points of failure, such as cellular network infrastructure which tends to inflict snowball-like consequences against their customers, and their business in disaster situations.
To keep up with the constant emergence of 2FA vulnerabilities and exploits, companies also need to be on the forefront of piloting emerging methods of 2FA, so they are better positioned to adopt the new technologies when needed.
Blockchain technologies are being used to develop authentication and identity management systems, though many are still in unproven stages of development. SelfKey is an example of an identity management system and is discuss in this article by Ryan Smith, originally posted on CoinCentral.com.
If you have any feedback, questions, or suggestions, please let us know.
Photo by Steve Halama on Unsplash