These days, it seems every website you ever visit tries to encourage you to use two-factor authentication (2FA).
One of the most common ways to use 2FA is to input a unique code from your mobile device. Typically, you receive the code in a text message or you use a third-party 2FA app to generate one.
The two methods are both popular ways to use codes due to their convenience. However, both methods are also weak from a security standpoint. And because your 2FA code is only as secure as the technology used to deliver it, the weaknesses are important.
So, what’s wrong with using SMS and third-party apps to access your codes? And is there an equally convenient alternative that’s more secure? We’re going to explain everything. Keep reading to find out more.
How Two-Factor Authentication Works
Let’s take a moment to discuss how two-factor authentication works. Without understanding the mechanics behind the technology, the rest of this article will not make a lot of sense.
In broad terms, 2FA adds an extra layer of security to your account. Also known as multi-factor authentication, login credentials consist not only of a password, but also of a second piece of information that only the account’s legitimate owner has access to.
2FA comes in lots of different forms. At its most basic level, it could be something as simple as security questions (because no one else could possibly know your mother’s maiden name or your favorite pet). At the more complicated end, it could be a biometric ID such as a retina scan or a fingerprint.
Why You Should Avoid SMS Verification
SMS enjoys a position as the most accessible way to access and use 2FA codes. If a site offers two-factor authentication logins, it almost certainly offers SMS as one of the options.
But SMS isn’t a secure way to use 2FA. It has two key vulnerabilities.
Firstly, the technology is susceptible to SIM Swap attacks. It doesn’t take much for a hacker to perform a SIM Swap. If they have access to one other personal piece of information—like your social security number—they can call your carrier and move your number to a new SIM card.
Secondly, hackers can intercept SMS messages. It all comes back to the now-dated Signaling System No. 7 (SS7) phone routing system. The methodology was designed back in 1975 but is still used almost globally to connect and disconnect calls. It also handles number translations, prepaid billing, and crucially, SMS messages.
Unsurprisingly, this technology from 1975 is full of security holes. Here’s how security expert Bruce Schneier described the flaws:
“If the attackers have access to an SS7 portal, they can forward your conversations to an online recording device and reroute the call to its intended destination […] It means a well-equipped criminal could grab your verification messages and use them before you’ve even seen them.”
Of course, discovering that a cyber-criminal has hacked your Facebook account is far from ideal. But the situation is scarier when you consider other the uses of 2FA. A cyber-criminal could steal codes you use in your online banking, or even initiate and complete money transfers.
Furthermore, Schneier also claims anyone can purchase access to the SS7 network for around $1,000. Once they have access, they can send a routing request. To complete the problem, the network may not authenticate the source of the request.
Remember, using two-factor authentication via SMS is better than leaving 2FA disabled. And it’s probably unlikely that you will become a victim. However, if you’re starting to feel a bit concerned, you need to keep reading. Many people accept that SMS is insecure and turn to third-party apps instead.
But that may not be much better.
Why You Should Avoid 2FA Apps
The other common way to use 2FA codes is to install a dedicated smartphone app. There are lots to choose from. Google Authenticator is arguably the most recognizable, but it’s not necessarily the best. There are lots of alternatives out there—check out Authy, Authenticator Plus, and Duo.
But how secure are specialist 2FA apps? Their biggest weakness is their reliance on a secret key.
Let’s take a step back for a second. In case you’re not aware, when you sign up for many of the apps for the first time, you’ll need to enter a secret key. The secret is shared between you and the app’s provider.
When you access a site, the code the app creates is based on a combination of your key and the current time. At the same moment, the server is generating a code using the same information. The two codes need to match for access to be granted. Sounds sensible.
So why are keys the weak point? Well, what happens if a cyber-criminal manages to gain access to a company’s password and secrets database? Every account would be vulnerable—the attacker could come and go at will.
Secondly, the secret is either displayed in plain text or as a QR code; it cannot be hashed or used with a salt. It’s probably also in plain text on the company’s servers.
The secret key is the fundamental flaw in the Time-Based One-Time Password (TOTP) that specialist apps use. It’s why a physical U2F key is always a more secure option.
Flaws in Design and Security for 2FA Apps
Of course, the chances of a cyber-criminal hacking a third-party app’s necessary databases are fairly small. But your app could also suffer from basic security flaws in its design.
Popular password manager LastPass fell victim in December 2017. A programmer’s blog post on Medium revealed 2FA secret keys could be accessed without a fingerprint, password, or other security measure.
The workaround wasn’t even complicated. By accessing the LastPass Authenticator app’s settings activity (com.lastpass.authenticator.activities.SettingsActivity), one could enter the settings pane for the app without any checks. From there, you could press Back once to access all the 2FA codes.
LastPass has now fixed the flaw, but questions remain. According to the programmer, he had tried to tell LastPass about the issue for seven months, but the company never fixed it. How many other third-party 2FA apps are insecure? And how many unfixed vulnerabilities do the developers know about but delay patching?
What to Do Instead: Use U2F Keys
Instead of relying on SMS and 2FA for your codes, you should use Universal 2nd Factor keys (U2F). They are the most secure way of generating codes and accessing your services.
Widely considered to be a second-generation version of 2FA, it both simplifies and strengthens the current protocol. Additionally, using U2F keys is almost as convenient as opening an SMS message or third-party app.
U2F keys use either an NFC or USB connection. When you connect your device to an account for the first time, it will generate a random number called a “Nonce.” The Nonce is hashed with the site’s domain name to create a unique code.
Thereafter, you can deploy your U2F key by connecting it to your device and waiting for the service to recognize it.
So, what’s the downside? Well, even though U2F is an open standard, it still costs money to buy a physical U2F key. And perhaps more concerning, you’re at risk from theft.
A stolen U2F key doesn’t automatically make your account insecure; a hacker would still need to know your password. But in a public area, a thief might have already seen you enter your password from afar, prior to stealing your possessions.
U2F Keys Can Be Pricey
Prices vary considerably between manufacturers, but you can expect to pay between about $15 and $50.
Ideally, you want to purchase a model that’s “FIDO Certified.” The FIDO (Fast IDentity Online) Alliance is responsible for achieving interoperability between authentication technologies. Members include everyone from Google and Microsoft, to Bank of America and MasterCard.
By buying a FIDO device, you can be sure you U2F key will work with all the services you use every day. Check out the DIGIPASS SecureClick U2F key if you’d like to purchase one.
Insecure 2FA Is Still Better Than No 2FA
To summarize, Universal 2nd Factor keys provide a happy medium between ease-of-use and security. SMS is the least secure approach, but it also the most convenient.
And remember, any 2FA is better than no 2FA. Yes, it might take you an extra 10 seconds to log into certain apps, but it’s better than sacrificing your security.