Should you Stop using SMS for MFA?

It’s often been said that you need to strike a balance between security and usability. Too much of one, and you have hardly any of the other.

Nothing could be further from the truth when talking about SMS one-time-password (OTP) as a multi-factor authentication (MFA) method. You get little security and little usability. There are no ifs or buts, today SMS means very weak security.

But convincing people to stop using SMS for MFA in 2023 is a bit like telling someone back in the 90s to stop using Telnet or POP3.

But what exactly is multi-factor authentication?

Multi-factor Authentication (MFA) is an authentication method where the user must provide two or more authentication factors to gain access. These methods can be something you know (username and password), something you have (SIM card & phone) or something you are (your face).

So, what’s so bad about SMS in multi-factor authentication?

Like your username and password, one-time-passwords received by SMS are only one factor in the multi-factor-authentication process, that can easily be captured by social engineering on the phone, phishing emails & WhatsApp messages, physical SIM swap attacks, or virtual SIM swaps by hacking a mobile phone companies’ infrastructure.

Krebs on Security recently claimed that hackers were offering “SIM Swaps as a Service” (real-time SIM swaps) on public Telegram channels, for the T-Mobile network on more than 100 separate occasions in 2022. If you were able to provide your target’s T-Mobile number, the ICCID number of your new SIM card and $1,500, you could start receiving your target’s SMS messages.

Jason Borne anyone?

Whoever is buying access to SIM swaps is not paying $1,500 for some grandma’s SMS codes, they are targeting high-net-worth individuals, crypto whales, the military, senior DevOps engineers, bankers and prime ministers.

But scammers can also get access to your SMS one-time-passwords for nothing more than the price of a phone call.

How does this scam work?

Typically a scammer will call you and persuade you to log into a genuine-looking but fake corporate website, where you enter your username and password. The caller will capture and then use these credentials on the real website, and then ask you to provide the SMS code you receive.

But there are plenty of ways a hacker can get access to your credentials (username and password) without calling you.

As you are no doubt aware, data breaches are becoming increasingly common. Only this week we heard that LastPass had its second data breach in the second half of 2022.

And when there is a data breach, your username and password can easily end up for sale on the dark web or even better available for free. if you need some convincing, just enter your email address on the “Have I Been Pwned” website.

There are other methods too, like dictionary attacks, brute force attacks, or credential stuffing.

So, what is the alternative to SMS?

You can use better one-time-password methods that use mobile push notifications together with a mobile app that requires user action (the user must push a button to confirm the access). But hackers can also exploit human behaviour, by sending multiple push notifications, expecting some users to eventually accept one request without thinking.

Using hardware tokens like YubiKey with FIDO2 adds a lot of additional administration and logistics, but is said to be resistant to phishing and almost all other kinds of threats, except maybe for a $5 wrench attack - you’ll need Krav Maga for that one 😃

Physical Smartcards can also be phishing-resistant.

Apps like Duo mobile are great options, since security administrators can disable any authentication methods you don’t want to allow in your organisation, and only enable the most secure methods like FIDO2.

Duo’s risk-based authentication also dynamically detects potential threat signals and adjusts security requirements, in real time, to enhance security without overburdening users.