Wednesday, July 27, 2016

End of SMS-based 2-Factor Authentication; Yes, It's Insecure!


SMS-based Two-Factor Authentication (2FA) has been declared insecure and soon it might be a thing of the past.

Two-Factor Authentication or 2FA adds an extra step of entering a random passcode sent to you via an SMS or call when you log in to your account as an added layer of protection.

For example, if you have 2FA enabled on Gmail, the platform will send a six-digit passcode to your mobile phone every time you sign in to your account.

But, the

US National Institute of Standards and Technology (NIST)

has released a new draft of its Digital Authentication Guideline that says SMS-based two-factor authentication should be banned in future due to security concerns.

Here's what the relevant paragraph of the latest DAG draft reads:
"If the out of band verification is to be made using an SMS message on a public mobile telephone network, the verifier SHALL verify that the pre-registered telephone number being used is actually associated with a mobile network and not with a VoIP (or other software-based) service. It then sends the SMS message to the pre-registered telephone number. Changing the pre-registered telephone number SHALL NOT be possible without two-factor authentication at the time of the change. OOB [Out of band verification] using SMS is deprecated, and will no longer be allowed in future releases of this guidance."

Due to rise in data breaches, two-factor authentication has become a standard practice these days. Many services are offering SMS-based 2FA to its consumers, just to ensure that hackers would need both their passwords and mobile phone in order to hack their accounts.

SMS-based Two-Factor Authentication is Insecure

However, NIST argues that SMS-based two-factor authentication is an insecure process because it's too easy for anyone to obtain a phone and the website operator has no way to verify whether the person who receives the 2FA code is even the correct recipient.

In fact, SMS-based two-factor authentication is also vulnerable to hijacking, if the individual uses a voice-over-internet protocol (VoIP) service, which provides phone call service via a broadband internet connection instead of a traditional network.

Since some VoIP services allow the hijacking of SMS messages, hackers could still gain access to your accounts protected with SMS-based two-factor authentication.

Also, the

designing flaws in SS7

or Signalling System Number 7 also allows an attacker to divert the SMS containing a one-time passcode (OTP) to their own device, which lets the

attacker hijack any service

, including Twitter, Facebook or Gmail, that uses SMS to send the secret code to reset account password.

Even some devices leak secret 2FA code received via SMS on the lock screen.


NIST Suggests BIOMETRIC! But...

The DAG draft notes that two-factor authentication via a secure app or biometrics, like a fingerprint scanner, may still be used to secure your accounts.

"Therefore, the use of biometrics for authentication is supported, with the following requirements and guidelines: Biometrics SHALL be used with another authentication factor (something you know or something you have)," the draft reads.

Well, Biometric-based two-factor authentication process would require companies to store one copy of your biometric data on their cloud servers for verification.

So, would your share your fingerprints with Google or Facebook? Apple was criticized for the same when there was a rumor that

iPhone's Touch ID fingerprint sensor

will upload users' data to its cloud storage.

Many tech companies such as Facebook and Google offer in-app code generator as an alternative solution for two-factor authentication, which does not rely on SMS or Network carrier.

Last month, Google made its two-factor authentication a lot easier and faster by introducing a new method called

Google Prompt

that uses a simple push notification where you just have to tap on your mobile phone to approve login requests.



from The Hacker News http://ift.tt/2au4rAz

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.