Not a lot has changed since our post last year about the dangers of using SMS in two-factor authentication (2FA) and multi-factor (MFA) login flows.
Companies and organizations continue to adopt SMS as an authentication strategy as they seek to enhance security. This isn't surprising—SMS seems at first glance to be the ideal tool for authentication. It leverages a device that nearly everyone already carries with them (a phone) that is tied to their personal identity—and it's widely supported and relatively inexpensive.
Unfortunately, as we pointed out then, SMS is fundamentally ill-suited to act as an authentication technology for a single, more fundamental reason: SMS itself is an insecure technology. It wasn't designed to secure other systems and workflows, and more to the point, SMS is in dire need of replacement itself precisely because it's so insecure.
The January Princeton Study
For those that haven't seen it already, note the already widely-cited Princeton study that drives the point home.
Released just this month, the study goes on to support some of the arguments we made last year. In particular, the study highlights just how mind-numbingly easy it is for malicious actors (it's really a step too far to call them hackers) to gain control of someone else's phone number and route their future messages—including SMS one-time authentication codes—to a new device.
The authors of the Princeton study went so far as to test this attack multiple times, in order to develop a picture of the difficulty involved in carrying it out. The picture isn't a pretty one.
They only needed to answer one challenge correctly to port a number to a new SIM card
Even if multiple incorrect answers were provided first, a successful answer would enable the port
They were able to port numbers even after intentionally providing incorrect PIN numbers
Simple, publicly-available facts like ZIP codes or biographical data were at times used for identification purposes
In short, there's no need to mount a sophisticated "attack" of any kind to gain access to someone's SMS authentication codes. Just phone a carrier, spend a few minutes sounding awkward and uninformed with a customer service agent, and you can have a target's SMS codes routed to the phone in your hand—instead of the phone in theirs—by lunchtime.
The Fundamental Tension
The fundamental problem with SMS is that it's a consumer technology intended to be used for lightweight, unimportant communication.
Every mildly technical person has probably been asked to help a friend or family member out with their phone—often to get SMS, MMS, or a SIM card working properly. The goal is never security—the goal is to "be able to send and receive calls and messages" and little else.
Customer service representatives at carriers are tasked with solving the same fundamental problem—keeping customers satisfied and connected—not with the job of ensuring the security of other, third-party software products and systems that happen to rely on SMS for security.
The result? Software and systems that are increasingly protected by a password and an SMS code and little else—and that are, as a result, tremendously insecure. In fact, an SMS code is often now treated sufficient verification to reset the password in question, leaving SMS as the only "protection" in play at all.
That's why we argued in our last SMS article that SMS 2FA/MFA may even be less secure than passwords alone—because the false sense of security that SMS 2FA/MFA provides can even eliminate the somewhat stronger protection that passwords offer.
What to Use Instead of SMS
For individuals: Right now if you're an individual wanting to secure your accounts, the most secure practice is to get a YubiKey or other hardware authenticator and confine yourself to using services that support authentication via a dedicated hardware key of this kind. Just remember that this isn't foolproof either—lose your key to a third party and all of your accounts are vulnerable, so protect it well.
For organizations: If you're a company or organization, hardware authenticators are easily a several steps better than SMS 2FA or MFA—but keep in mind that it's now 2020, and there are better solutions on the market—including adaptive, behavior-driven authentication solutions like Plurilock, which recognize actual people, rather than just checking for possession of the right credentials.
Whatever your situation, we'll continue to argue that no one should use SMS-based one-time authentication codes as a key method of authentication—at most, SMS is useful as an additional, supplemental identity signal that can be factored into an identity decision alongside several others.
To rely on SMS as a primary form of authentication, or as a way to enable password reset flows? As this month's Princeton study shows, that practice should belong entirely to the past. ■