In this article, I want to take a look at SME attitudes to two factor authentication (2FA). I’ve heard a few people express reservations over the matter of SMS 2FA because of the SS7 attacks earlier this year, when they’re not using any form of 2FA at all.
So, let’s take a look at 2FA - what it means, the different forms it takes, what the SS7 attacks were and why we at DVELP believe that SMS 2FA is better than no 2FA.
2FA is a measure to increase security when authenticating a user at login.
There are three types of information you can use to authenticate: something the user is (e.g. their fingerprint), something the user knows (e.g. their password), and something the user has (e.g. their phone).
A 2FA system is any that uses two of these. Most 2FA usage today uses the latter two types.
Most 2FA solutions use your phone as the second factor after the username and password stage. The customer is sent a one-time password or ‘token’ which is then inputted at the login screen of the application they’re trying to access.
2FA means that attackers must target users individually, and it prevents mass cyberattacks on user accounts. So, whilst hackers could steal a list of usernames and passwords, to access those accounts they would have to overcome the 2FA on each individual account: this dramatically reduces the impact of a potential hack.
2FA is recognized as the best protection against stolen passwords, and, ultimately, stolen personal and corporate data.
SMS is by far the most widespread mode of receiving the token. The reason being that it’s easy for users to enroll, offering the most frictionless UX at setup. It also supports a wide variety of devices because SMS-enabled devices are ubiquitous. It could even be a Nokia 3210. What’s more, sending the SMS from your application can all be done in software, so there is no huge investment in telecommunications equipment.
Alternatively, there is the option of delivering the token via push notifications. A specialised security app (e.g. Google Authenticator or Authy) will send the user a push notification where they can confirm or deny it is actually them logging in. Whilst this offers the most frictionless UX after being installed, it does require the user to install and set up a new app on their phone, which could really put them off signing up for your service. It also offers the best security because it’s built on public key cryptography. However, it’s a very new method of 2FA - on the bleeding edge of technology - so it is not well distributed yet.
The SS7 vulnerability is often put forward as a reason not to implement SMS 2FA. Let’s first look at what exactly this vulnerability is.
SS7 stands for Signalling System No.7. It is the set of protocols that connect all of the mobile carriers globally - it enables us to use our mobiles when roaming.
In December 2014, researchers demonstrated an attack to which SS7 was vulnerable. The researchers (and therefore, potentially hackers) found that they could redirect calls and text messages to their devices. For SMS-based 2FA, this means that your activation code can be stolen and your account logged into by a hacker.
In January 2017, O2 Telefonica reported that the SS7 vulnerability was used to drain bank accounts. It was widely felt that an attack like this had been coming for 2FA, and that it would mark the death of SMS 2FA.
However, the business community did not agree.
The publicization of the SS7 vulnerability and subsequent hacks has made companies not using any 2FA aware that they’re not doing enough to protect their data and that the rest of the world is ahead of them.
B Byrne of Twilio pointed out at Signal Conference in London this year that they have has observed an uptick in SMS 2FA adoption - despite warnings from authorities like the National Institute of Standards and Technology (NIST) about its vulnerabilities. Currently, 84% of their 2FA customers opt for SMS.
These new customers are saying that they want to start with 2FA initially, which will put them in the best position to upgrade to a more secure form of 2FA when distribution is at a better level.
That is, the business community is realising that SMS 2FA is better than no 2FA.
Following this uptick in adoption, NIST withdrew their deprecation of SMS-2FA. This is because it is the easiest form of 2FA to implement and is the first rung on the ladder to best security practice.
SMS 2FA is the easiest 2FA to roll out to your customers. It only requires them to input their phone number.
It is also possible to support multiple forms of 2FA within one system. Offering the option of app-based 2FA for the customers that demand it could be the next level up of account security for your business.
The different forms of 2FA suit different priorities. App-based 2FA, for instance, involves downloading a new app onto your phone. Some of your customers may be prepared to go through the extra faff because they prioritise best-in-class security. On the other hand, the rest of your users may prioritise the ease of SMS. This way, you can have a system that protects data in the variety of ways that fits each customer’s need.
A company committing to security by starting with SMS 2FA would of course be aware of the SS7 vulnerability. SS7 attacks can be detected - it is possible to look up when a number is using a new network in a different country. The website could then ask the user to confirm that they are in the country their phone appears to be in.
Overcoming security challenges like the SS7 vulnerability ultimately comes down to being informed about the current state of the technology you’re using. In the hacking world, there is a trend of SIM spoofing to gain access to phones; that too can be overcome. It takes awareness and proactive action from your tech team, because the threat landscape is evolving.
So, for companies concerned about data protection, most particularly with the advent of GDPR looming, we at DVELP point you to start with SMS 2FA. We urge you to protect your customer data to the level that is strategically feasible for your business.
You can contact DVELP for more information about our 2FA implementation services here.