Two-Factor Authentication (also known as 2FA/OTP) via SMS using SS7 is inherently flawed as these SMS messages are unencrypted and can be intercepted. With the code from the SMS in their hand, a cyber-criminal can potentially reset your password and gain control of your account.
Multi-factor authentication (“MFA”) has been promoted as an additional security layer to help mitigate the security risks inherent to password-based online authentication. NIST heavily advocated the public to employ MFA/2FA in 2014 due to pervasive access breaches due to stolen or phished passwords. 2FA SMS was heavily favored due to the widespread user ownership of a smartphone. When the user logs in in and enter their username and password, a 2FA “static code” is sent to the their mobile device and can be considered the “What You Have Factor”. This code is then copied by the user and is to be entered to the authentication page before the user is granted access. It worked for a while, but later hackers were able to intercept the static code, allowing them to gain access to the enterprise. In 2016, NIST sent a notice to the public not to use SMS-based 2FA.
SS7 (Signaling System 7) is a set of telephony signaling protocols that are used to set up most of the world’s public switched telephone network (PSTN) telephone calls. Inter-telco communication was its primary purpose vs security. Although any text messages can be intercepted by the hacker, SS7 should not be faulted for that.
Again, technology made the incorrect deployment of the solution.
- The smartphone was made to receive and store the SMS code.
- The code sent was STATIC, thus it can be copied or intercepted.
As is true with passwords, a static code can be intercepted and copied by the hacker, making 2FA useless in securing the password.
Instead of disavowing SMS based 2FA, why not:
- Make the smartphone act only as the transmitting channel of the SMS code and never store the code on the device.
- Make the SMS code dynamic by asking the user to simply click the SMS text, redirect them to the enterprise authentication page , then challenge the user to a set of dynamic credentials used as a human identity test. If intercepted, the dynamic credentials are useless to the hacker.
Here’s How it Works:
Deploying the correct technology solutions:
- Enables the public use of widely available smartphone devices.
- Renders SMS text meaningless, even if intercepted, and cannot be used by the hacker to breach an account.
- Allows NimbusID being a form of cognitive challenge can be the Identify Test to prove the correct identity of the user on the device.
- Does not require software (i.e. authenticator) to be downloaded to the device, hence no client-side device vulnerability.
- Does not store the SMS code in the device, hence nothing to intercept.
- Means the user does not have to memorize, copy and then type in a code that is at least 6-8 characters to enter.
- Reduces user friction with fewer clicks. They click the SMS, then click their cognitive challenge, and access is granted.
Don’t Kill SMS 2FA – there is nothing wrong with SMS but instead it’s the wrong implementation of SMS 2FA