#17 SMS as a poor two-factor authentication choice

Multi-factor authentication (MFA) has followed the same trajectory as several other security solutions. It starts with critical work and enterprises and then trickles down to the masses. Almost every major web application like Gmail, Dropbox, etc. now supports two-factor authentication using text messages. All major browsers support hardware-based tokens using the FIDO U2F specification (described later). There has been an ongoing attempt to bake this inside the web specification itself.

With almost all of our old passwords out there in the open leaked from various web services, MFA has become more important. MFA relies on the ability to authenticate using a combination of something you know (passwords, PINs), you own (hardware tokens or mobile phone apps like Google Authenticator), or a physical trait (biometrics like fingerprint or iris scan, maybe even location, usage patterns, etc.).

Problems with SMS based two-factor authentication

SMS based two-factor authentication is now ubiquitous primarily because of ease of use. Users do not have to install an additional app on their phones, neither do they have to invest in purchasing an additional hardware token.

As with most protocols and systems, since the initial group of users were a select few, security was not taken into consideration when implementing the first versions of telecommunication systems. One such system is the Signaling System 7 (or SS7) used in 2G and 3G telecom networks. Since 4G networks are not available everywhere, almost all mobile phones continue to support 2G. With the ability to downgrade the connection to an adversary controlled tower-like device, it is possible to eavesdrop and intercept SMS communications.

Another technology used by governments is IMSI catchers, Cell-Site Simulators, or colloquially called Stingray (after the name of a popular model of such kind of device.) While a SIM card has to authenticate itself before it can use a particular network or tower, in the case of 2G mobile networks, it is possible to fake a cell phone tower sometimes using a briefcase-sized device to ‘catch’ IMSI numbers of mobile phones in the vicinity. Every SIM card has a unique IMSI (International Mobile Subscriber Identity) number and an authentication key (called the Ki) that is used to identify it over the telecom network. Pure IMSI catchers do nothing else except identify IMSIs in some particular area and then combine legal/police assistance to track movements using the telecom operators’ data. Since they cannot forward traffic to a real tower, catchers can also be used to do small scale Denial-of-Service/jamming attacks against mobile phones. Some Cell-Site Simulators (CSS) on the other hand are capable of launching a Man-in-the-middle (MiTM) attack by masquerading as a legitimate telecom tower and passing on calls and communication to-and-fro between a legitimate tower and a victim phone.

SIM swapping is another non-tech risk wherein social engineering is used to port out a user’s number to another SIM which can be used to receive two-factor authentication codes and bypass the mechanism altogether. It was recently used in 2019 to hack into Twitter CEO Jack Dorsey’s Twitter account. The 2018 Reddit hack was also made possible due to insecurity in SMS based two-factor authentication.

“Already having our primary access points for code and infrastructure behind strong authentication requiring two-factor authentication (2FA), we learned that SMS-based authentication is not nearly as secure as we would hope,” a spokesperson said. “We point this out to encourage everyone here to move to token-based 2FA.”

Towards better options - TOTP

One of the most widely used two-factor implementations that are slowly superseding the SMS based one is the Time-based OTP (or TOTP). You might have used one if you have used Google Authenticator or a similar service that keeps on generating a new code every few seconds.

TOTP relies on another algorithm called the HMAC-based OTP (or HOTP). To go still more towards the roots, a MAC (or message authentication code) is used to validate that the message exchanged between two parties has not been tampered with. This is facilitated by using a shared secret key known only to the two parties exchanging the information. In HMAC, we use something called cryptographic hash functions that in simplistic terms, given a general piece of data, outputs another piece of data, usually much smaller in size. The function itself satisfies certain mathematical properties to guarantee security to a certain extent given a key size and available computational power. HMAC is a relatively simple algorithm relying on XORing messages with certain derivations of the key being used.

From the RFC 2104 for HMAC,

We define two fixed and different strings ipad and opad as follows (the 'i' and 'o' are mnemonics for inner and outer):

ipad = the byte 0x36 repeated B times

opad = the byte 0x5C repeated B times.

To compute HMAC over the data `text' we perform H(K XOR opad, H(K XOR ipad, text))

HOTP keeps track of a value called the counter. Given an HMAC implementation, HOTP is simply getting the HMAC output of the key concatenated with the counter value, creating a new value called the offset using the four least significant bits of the HMAC output from the first step and then using the offset to choose 31 bits of output from the HMAC output. The actual OTP is any number of least significant digits extracted from these 31 bits. This is generally 6 digits or longer.

In the case of Time-based OTP, the only change done is that the counter is based on the current time so that there is no need to specifically keep track of the counter.

Susum Pal’s elegant implementation of TOTP in python is provided below -

TOTP can be used on dedicated hardware like RSA’s SecureID or mobile apps like Authy and Google Authenticator with a single app serving authentication across multiple applications on the web.

FIDO U2F and hardware tokens

Universal Two Factor (U2F or renamed to CTAP1 recently) based hardware tokens use USB or NFC to provide an additional factor of security by ownership of a physical device. The device creates a pair of keys for each website or application where it is supposed to be registered and shares the public key with the website requesting registration. When the user tries to login the next time with their password, the website challenges the hardware token to sign a piece of information with the private key corresponding to the public key it has on file for the user. On successful verification, the user is authenticated. The process of registration of the token and authentication is inbuilt in various web browsers like Chrome and Firefox. There is no need to install any additional software.

Using a separate device has advantages. It is simple to use and not prone to malware or phishing attacks that could potentially read the tokens from a mobile phone app. Though the requirement of hardware is not mandated to use the U2F specification. The popular code hosting site GitHub has a software implementation of U2F for macOS. Most U2F hardware tokens also require you to touch a capacitive button on the key to allow the second-factor authentication to prevent malware from exploiting automated logins when the token is connected to the user device. This touch button is usually not biometric-enabled though some hardware tokens are adding support for fingerprints. An advantage of simply relying on key pairs is that two or more people can use the same hardware token for multiple accounts on the same website. It is generally also possible to have multiple hardware tokens registered to the same web service in case you are worried about losing one.

Android phones with their fingerprint sensors can now also be used as an authenticator. One of the most popular standalone hardware token using U2F is Yubikey, their USB based product pictured below -

Though the U2F specification itself is quite secure, it is possible to have specific device implementations that can have security issues. It is recommended to go with known and FIDO alliance certified providers of hardware tokens.

Other popular two factor approaches

An approach adopted by Apple is to send second-factor code to user devices that share the same Apple’s iCloud account via push notifications, thus removing the need to require additional apps. Enterprise solutions like MobileIron are combining a similar approach with Single-Sign-On (SSO) to provide easy access to enterprise SaaS application to employees.

Most SMS based two-factor authentication solutions also provide a set of backup codes that can be written down on a piece of paper and kept in case you lose access to your phone.

The standardization of the portion of the two-factor interaction between a remote server and a user browser is being done using the WebAuthn API. WebAuthn API encapsulates all hardware and related complexities and can be used by web app developers to directly build token authentication related stuff in their applications. An often-cited example is the re-authentication of a returning user to an app using biometrics like a touch button on a phone thus removing the need to enter the password again. This is already provided as a service by iOS to app developers. This API is supposed to complement the token-user-browser interaction using the FIDO U2F/CTAP specification.

A note on password managers

Slightly tangential but while two-factor might make the password policies a bit relaxed, we still have to protect our passwords. It is recommended to use a password manager (some even work as a TOTP app). Password managers solve a basic problem - We cannot remember too many different passwords. This forces us to use a set of shared passwords or sometimes just one password across all online services, potentially exposing us to breaches. And sometimes, we even forget those passwords! Password managers work by storing a database of usernames and password combinations concerning you that can be used across all different devices including phones. It can also suggest a strong password when you signup for a new service, that you do not have to remember. In most of the cases, the password database itself is encrypted, requiring a master password (as the secret key) to decrypt and use the entire list of usernames and password combinations. This master password then becomes the only thing that you need to remember, which can even be replaced by some other authentication method like Touch or Facial recognition on phones.

Additional features provided by most password managers are sharing your encrypted password with your work team or say a spouse without actually revealing your password. Password managers for businesses also provide features like role-based access and an audit trail of who has used particular passwords in the past. A good recommendation to start with a password manager is Bitwarden.

Though with everything else, they are not without their flaws. There have been several security vulnerabilities discovered in the most popular password managers in the past, which is scary given the data that is being trusted with them. Though given all the benefits, it is still recommended to use one.


Other things that matter

Nvidia has released their 3000 series of consumer GPUs with massive performance/price gains over the last generation. Apple might delay the proposed changes in iOS 14 to limit third-party tracking. Intel has released their 11th generation of mobile processors based on 10nm tech. India has banned yet more Chinese apps, this time including PUBG. Someone lost 1400 bitcoins due to a bitcoin wallet issue. Sucks to be that person. A decent read on Saudi’s MBS attempt to infiltrate Twitter.


RSA SecureID image under CC by Alexander Klink

Yubikey Image under CC-by_SA)


This is a repost from my weekly newsletter. You can subscribe to it here https://technotes.substack.com

Write a comment ...

Write a comment ...

Abhishek Anand

A weekly long-form newsletter on tech insights.