SMS based two factor authentication (2FA) has been a popular way to add an extra layer of security over existing password based authentication systems. It is today used by a number of email providers, banks and technology companies to ensure secure account details are not bypassed through. But according to a recent recommendation by the US National Institute of Standards and Technology, SMS based two factor authentication could be insecure and should be banned.
What is Two Factor Authentication
Before we look at the security concerns pointed out by the NIST paper, let us look at what two factor authentication is. 2FA is essentially the process of mitigating the risks involved with simple password based security systems by adding an extra layer of protection through randomly generated one-time-passwords that are sent to the user’s mobile phone. The idea is that it is extremely unlikely for a user to lose both their password and mobile phone to the same criminal and so the chances of an attacker getting access to your confidential account details are grossly minimized.
Two Factor Authentication Security Concerns
Here are some reasons why the NIST Digital Authentication Guideline draft says two factor authentication is not secure:
- If your phone is stolen, then the attacker may be able to get hold of your 2FA passwords
- Users may have written their passwords down on a paper that can get stolen. Or the software PKI authenticator or look up secret authenticators could be copied
- An attacker may notice phone password/PIN access patterns and gain entry to your phone themselves
- The attacker uses keystroke logging scripts to hack and get access to the 2FA passwords
- SMS messages may be accessed via VOIP based systems that can be intercepted or duplicated
Is Two Factor Authentication Really Unsafe
The NIST paper claims that these security concerns make two factor authentication unsafe. But is this really the case? Most of the security concerns underlined in the paper are essentially those with the way present day mobile phone technology work. So essentially, if you lose access to your mobile phone because of theft or the attacker gaining knowledge of your access key, then they get access to not only your 2FA passwords, but also to your mobile banking apps, email apps and every other app that you have installed on your phone.
What 2FA does is it vastly minimizes the possibility of an attacker gaining access to any system because even if they brute force a password over a web-form, it is extremely unlikely for them to brute-force their way into the mobile phone as well. Hacking one device is hard enough; hacking into two in order to get access is much harder and that is the core objective. Like any other security system available today, 2FA is not meant to be fool-proof. It only makes things doubly harder for criminals so that you may be able to retrieve access in time before they gain access.
To ban SMS two factor authentication for the reasons underlined by NIST may seem like an over-reach. Apps that offer mobile banking and email access seem like a far bigger concern than 2FA going by the reasons mentioned. What are your thoughts?