Podcast Question: Is 2FA over SMS that big a deal?

Xenophos
Xenophos
Community Member
edited November 2018 in Lounge

1st, I deleted my Twitter account a long time ago, so I can't post questions there.

2nd, my son and I were listening to ep 6, and he asked what the big deal with 2FA over SMS is. I get it in theory - it's insecure. But in practice, for the average punter, is it really that big a deal? Someone has to have my login credentials, intercept a 2FA text in real time and input into the website in a matter of a couple of minutes. Given that 2FA a backup, what are the chances, really? I get that it's not good for business, but am I missing something?

Loving the podcast. "Random but Memorable" is very apt! It reminded me to get my backside into gear and get my wife using our family account, AND that 1PW is an authenticator app. Thank you, thank you, thank you. You just made my life better.


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

Comments

  • AGAlumB
    AGAlumB
    1Password Alumni

    1st, I deleted my Twitter account a long time ago, so I can't post questions there.

    @Xenophos: While I haven't actually deleted mine, I don't really use Twitter much myself. Happy to hear from you here. Welcome to the forum! :)

    2nd, my son and I were listening to ep 6, and he asked what the big deal with 2FA over SMS is. I get it in theory - it's insecure. But in practice, for the average punter, is it really that big a deal?

    It's a good question. The answer is it really depends. In practice, for most people, you're probably going to be right. While it has essentially no security (the protocols used for cell phone service in general are incredibly old, were not designed with security in mind at all, and have known -- and relatively simple -- exploits), the other big problem with using SMS as a second factor is that this has the perception of added security. I think that's actually worse than bad security. When people know they're at risk, they can make choices based on that. You probably don't shout out your bank password in public, after all. It's just an unnecessary risk, and the downside is huge. But that's what SMS ends up being in many cases, since it is most often also used as a "recovery" or "reset" option. And having it going over the air is the technological equivalent of shouting out sensitive information at the mall. You wouldn't do that, and though in either case the chance of someone malicious paying attention may be not high, there's no upside to using it. When companies present SMS verification as a security enhancement, they're doubly doing their customers a disservice.

    Someone has to have my login credentials, intercept a 2FA text in real time and input into the website in a matter of a couple of minutes. Given that 2FA a backup, what are the chances, really? I get that it's not good for business, but am I missing something?

    I think it's worth pointing out that while that is certainly true in some cases, in many others the bar is much, much lower. The recent news discussed on the podcast is a prime example:

    https://techcrunch.com/2018/11/15/millions-sms-text-messages-leaked-two-factor-codes/

    While discovered and reported by the good guys in this case, there's no guarantee that the bad guys didn't already know about it, or about other similar cases. A publicly accessible server with no security is probably at the extreme end of the spectrum, but it is the because of the inherent insecurity of SMS that something like that could even happen.

    Loving the podcast. "Random but Memorable" is very apt! It reminded me to get my backside into gear and get my wife using our family account, AND that 1PW is an authenticator app. Thank you, thank you, thank you. You just made my life better.

    Thank you! I'm so glad that you're enjoying the still-relatively-new 1Password podcast. There's more to come. :)

  • r1ma
    r1ma
    Community Member

    @brenty Can I find your podcasts on Spotify?

  • @r1ma

    I'm not super familiar with Spotify, and I don't believe we explicitly publish Random but Memorable there, but I've been told this link may be helpful:

    https://simplecast.com/s/3ac6279c

    I hope that helps!

    Ben

  • As for the OP... I'd recommend taking a look at this article and attached video:

    SMS Password Recovery: nopls – TEKaholics

    We're not affiliated with either but there is some great info there. SMS is probably not a great channel for authentication, but your mileage may vary based on what threats you are likely to face.

    Ben

This discussion has been closed.