The often talked about security risk of using SMS-based Two Factor Authentication (2FA) isn't actually as big of a security risk that everyones makes it out to be. It's much more of a security risk in SMS-based Account Recovery. It's a subtle but incredibly important difference that I keep seeing news sites and security blogs completely overlook. So I thought I'd write to the world¹ to try to explain the difference.²
User Login vs Account Recovery
When hacking into a user login protected by SMS 2FA, you require three pieces of information:
- User username / email address
- User password
- User phone number
Contrast that with Account Recovery that uses SMS verification. You only need these two pieces of information:
- User username / email address
- User phone number
Obtaining the username/email address is usually trivial, depending on your target and the platform they are on.
Obtaining their phone number can be trivial, if your target is an easily contactable public figure, but could also be tricky if they try to keep their number private.
However, to obtain their password, you'll need at least one of the following:
- Credential Stuffing³ - User appearing in a databreach after reusing their password on multiple sites.
- Dictionary Attack - User using a commonly used password (i.e. qwerty, p@ssw0rd, dragon123, etc).
- Brute-Force Attack - Hacker uses automated guessing attack on possible password combinations.
- Phishing - Hacker tricks user into enterting their password on a phishing site.
- Social Engineering - Hacker tricks user into providing their password.
- ... and more ...
Most of these methods of obtaining the password rely on the user reusing their password or choosing a terrible password. The rest involve tricking a user into providing their password. So you're left with either luck or skill to break into a user login. So why bother with passwords when account recovery over SMS bypasses the password entirely?
If the application lets you reset your account over SMS alone, it's not SMS 2FA! It's single factor SMS authentication, which is incredibly insecure in a targetted attack.
SMS 2FA Avoids Added Complexity
The standard argument about SMS 2FA usually directs users to app-based one-time-password (OTP) authenticator systems or hardware tokens (U2F), or even WebAuthN⁴. While these options are definitely more secure than SMS 2FA, they also add complexity, and that can be a problem.
Adding technical complexity locks out users. Adding your phone number and receiving an SMS with a verification code is a no-skill authentication method. My Grandad could easily check a mobile phone for a verification code. This would give him 2FA to protect his accounts behind his password.
If I asked him to install and use an app on his phone, he'd probably tell me his phone doesn't support apps. But if it did, I doubt he'd know how to install the app, then scan the QR code, and enrol the device, and then check it within the 30 second window to login... the complexity here is immense.
Sure I could get him a hardware token, and he may be able to use it. But most sites don't support hardware tokens. WebAuthN could be even easier for him. But there is even less support.
When most of your userbase is non-technical, SMS 2FA will have a much higher uptake than other methods, and more accounts will be protected behind 2FA - keeping more of your user secure. That said, if you have mostly technical users, get them using apps or tokens, etc. Or support everything and keep everyone secure!
It's a Targetted Attack
The other huge factor that's overlooked is SMS attacks are targetted attacks. You can't acquire a list of 10,000 mobile numbers and email address and attempt to login to random webapps en-mass.
You need to
- Identify the specific user(s) on the specific site you wish to attack
- Identify their usernames/email address
- Identify their phone numbers
- Hijack their phone numbers
- Attempt login, intercepting the code, and providing it into the form
Although hijacking phone numbers can apparently cost as little as $16, it's not an automated process.
You need to socially engineer access to the number somehow.
You're not going to do that for 10,000 accounts in a credential stuffing list.
You're also not going to do it for a random target of little value.
You're going to do it on an important target with real value.
If you're a target of real value, SMS 2FA may be a security risk if you're using a terrible password too, or if account recovery uses only SMS. Use a strong password and avoid providing SMS to any systems that use SMS as the account recovery method. However this is definitely an edge case. Most people need any form of 2FA³ to negate their terrible passwords.
There's an Easier Way to Hack into an Account
If you've obtained a credential stuffing list of 10,000 accounts with passwords and phone numbers, you'd have more luck attempting a phishing campaign than hijacking their phone numbers. Send them a convincing email asking them to login, proxy their username and password into the real login form, and then collect the SMS verification code.
Oh and the best bit? This works on other forms of 2FA too, such as app-based authenticators (OTP), and even some token-based authentications. So you'll not only gain access to the users with SMS 2FA, but also OTP accounts, etc. And yet, you don't hear people claiming OTP is insecure! ¯\_(ツ)_/¯
What's the Alternative to SMS
2FA Account Recovery?
The problem is account recovery that relies on SMS alone. The fix is to add a second factor in - such as email verification. The attacker would need to compromise the email account too.
If the user can no longer access their emails, you may need to get creative though. I've seen systems where you write to support and confirm information from within the account only you'd know. Or in the case of GitHub, your SSH keys.
However, please don't use the user's birthday... that's a whole new blog post about what not to do!
While I agree that SMS 2FA is less secure than other 2FA options, I disagree that it poses a security risk and should not be used at all, but rather that it enhances security for some users. The problem is account recovery using SMS alone.
I'd love to continue the conversation, if you have any thoughts or if you disagree with me. You can reply to my tweet, or send me an email at firstname.lastname@example.org.
¹ Well, HEY World anyway...
² I want to make it clear that I'm not advocating for using SMS 2FA. Mearly saying that SMS 2FA doesn't pose a security risk in normal conditions. I only use it when absolutely necessary. I'd love WebAuthN on everything, but I'll settle for U2F or TOTP.
³ There is always a chance that your target's phone number will be included in the breach too, but I'm guessing it's a rare occurance.
⁴ I'd love to use WebAuthN on everything!