Is the two-step SMS authentication really safe?

Posted by media on November 17, 2016 at 9:00 AM

EN_B_two step authentication via SMS.jpg

The two-factor authentication requires two elements from the user for an online service to confirm his/her identity and provide access. These elements can be the combination of something the user knows, something he/she has, and something that is physical (biometric data).

However, the most widespread form of identification is the two-step authentication or verification (2SA) system. This system, contrary to what we are led to believe, is not a two-factor authentication system (2FA), and is not as secure as the latter.

We explain why in this post.

This post is also available in Spanish.

The insecurity of the two-step SMS verification system

Given the presumed additional layer of protection it offers to access services on the Internet, the two-step verification system has received praise from reference publications, such as Gizmodo, which in 2015 dedicated an extensive article that explained how to activate it for services like Apple, Google, Paypal, Facebook and Twitter, among others. And recently Whatsapp also enabled the option for two-step authentication to offer greater security to its users.

Among the two-step authentication methods, the most widespread is undoubtedly the two-step authentication via SMS, which in order to enter an account requires a password and entering a code sent to our mobile phone.

However, the two-step authentication is not secure, since it is not really a two-factor authentication system (multi-factor), rather a single factor authentication system: the password and the code that the user receives via SMS are two things that the user knows, and the second element was delivered to a mobile device that is easily hackable.

Speaking to Wired magazine, security expert Jonathan Zdziarski spells it out: two-step SMS authentication cannot be considered multi-factor.

As proof of this, two-step SMS authentication has suffered numerous security breaches in the last months. In the United States, the activist DeRay McKesson saw how his Twitter account began to publish favorable tweets for Donald Trump without his consent, and other political figures in countries like Iran or Russia have suffered similar attacks on services theoretically protected by a two-step SMS authentication system.

Two-step authentication and multi-factor authentication are not the same

Multi-factor authentication is one that requires the user to provide different factors or data to confirm his/her identity: something that the user knows (for example, a password) and something that he/she possesses (a key generator) or something that is physical (biometric data).

But an SMS is not really something that we own, rather it is something that has been sent to us and can be intercepted. This is why the two-step SMS authentication cannot be considered truly multi-factor.

Multi-factor authentication systems
Combination of two or three authentication factors

The ability of an environment to verify that a user is who he/she claims to be, is what is called authentication.

Usually, authentication is based on something we know: our email or username and a password or PIN number that only we should know. However, this system of username and password does not guarantee security for our information, as it really just relies on one factor: they are all data that we know.

In order to provide greater security for our accounts in the different online services that we use daily - email, bank accounts, accounts in different e-commerces that save our data, etc. - it's advisable to apply multi factor authentication mechanisms, which are based on the combination of two or more of the following authentication factors:

  • Something that we know: password or PIN code.
  • Something that we own: code card, RSA token.
  • Something physical (biometric authentication): fingerprint, eye iris, voice, etc.

If we only combine two factors, it is called two-factor authentication or two-factor verification. Both mechanisms, those that combine two or three authentication factors, are called a strong or robust authentication. Some examples would be:

  • The combination of our card (something we possess) with our PIN number (something we know) to withdraw money from an ATM, or to pay in most shops.
  • The use of tokens with random codes in many companies (something that we possess) combined with fingerprints (something physical).  
  • The use of a PIN code (something that we know) combined with biometric recognition of our eye iris (something physical).
Source: Spanish National Insitute of Cybersecurity  (INCIBE)

Receiving and accessing a message (SMS) on someone else's phone may seem unlikely, but sometimes it doesn't require anything else than social engineering to induce your operator to send messages to another SIM card, including all access codes necessary for two-step authentication. Or, in a less sophisticated way, someone can steal your phone.

And if such actions are not frequent enough and difficult to detect, the SS7 protocol (Signaling System Number 7), used by most operators to connect calls, messages and data between users, is an outdated infrastructure that leaves vulnerabilities uncovered in smartphones. This opens the way for hackers to take control of any terminal in a much easier way than we could imagine, and opens the doors to users’ personal data.

Following this evidence, reliable entities such as the National Institute of Standards and Technology (NIST) in the United States, have sent out a special publication calling the two-step SMS authentication insecure, which reverses the praises poured by Gizmodo less than a year ago.

The NIST and more and more bodies defend other multi-factor authentication methods, such as apps capable of generating single-use codes, physical devices that offer additional authentication - for example, USB keys - or services such as Google Prompt.

In Signaturit we offer two-step SMS authentication, but not as the base of our signature process, but as a complement to our biometric technology, which is what allows us to identify the signer in a unique way thanks to the biometric data from the signature.

Through biometric technology, we capture data from the the signer's signature - the stroke points, position, speed, acceleration, and in devices that allow it, also the pressure. This means that in case a signer does not recognize his/her signature, he/she can be required to repeat it during a judicial process.

Thanks to the biometric data collected with the very first signature, this can be compared with the biometric data collected in the signature repetition, and that will prove irrefutably who was the author of that signature.

This post is also available in Spanish.

New Call-to-action


Topics: Digital Transformation

Blog Subscription

Recent Posts