The two-factor authentication requires two elements from the user for an online service to confirm his/her identity and provide access. These elements can be the combination of something the user knows, something he/she has, and something that is physical (biometric data).
However, the most widespread form of identification is the two-step authentication or verification (2SA) system. This system, contrary to what we are led to believe, is not a two-factor authentication system (2FA), and is not as secure as the latter.
We explain why in this post.
This post is also available in Spanish.
The insecurity of the two-step SMS verification system
Given the presumed additional layer of protection it offers to access services on the Internet, the two-step verification system has received praise from reference publications, such as Gizmodo, which in 2015 dedicated an extensive article that explained how to activate it for services like Apple, Google, Paypal, Facebook and Twitter, among others. And recently Whatsapp also enabled the option for two-step authentication to offer greater security to its users.
Among the two-step authentication methods, the most widespread is undoubtedly the two-step authentication via SMS, which in order to enter an account requires a password and entering a code sent to our mobile phone.
However, the two-step authentication is not secure, since it is not really a two-factor authentication system (multi-factor), rather a single factor authentication system: the password and the code that the user receives via SMS are two things that the user knows, and the second element was delivered to a mobile device that is easily hackable.
Speaking to Wired magazine, security expert Jonathan Zdziarski spells it out: two-step SMS authentication cannot be considered multi-factor.
As proof of this, two-step SMS authentication has suffered numerous security breaches in the last months. In the United States, the activist DeRay McKesson saw how his Twitter account began to publish favorable tweets for Donald Trump without his consent, and other political figures in countries like Iran or Russia have suffered similar attacks on services theoretically protected by a two-step SMS authentication system.
Two-step authentication and multi-factor authentication are not the same
Multi-factor authentication is one that requires the user to provide different factors or data to confirm his/her identity: something that the user knows (for example, a password) and something that he/she possesses (a key generator) or something that is physical (biometric data).
But an SMS is not really something that we own, rather it is something that has been sent to us and can be intercepted. This is why the two-step SMS authentication cannot be considered truly multi-factor.
Multi-factor authentication systems
Receiving and accessing a message (SMS) on someone else's phone may seem unlikely, but sometimes it doesn't require anything else than social engineering to induce your operator to send messages to another SIM card, including all access codes necessary for two-step authentication. Or, in a less sophisticated way, someone can steal your phone.
And if such actions are not frequent enough and difficult to detect, the SS7 protocol (Signaling System Number 7), used by most operators to connect calls, messages and data between users, is an outdated infrastructure that leaves vulnerabilities uncovered in smartphones. This opens the way for hackers to take control of any terminal in a much easier way than we could imagine, and opens the doors to users’ personal data.
Following this evidence, reliable entities such as the National Institute of Standards and Technology (NIST) in the United States, have sent out a special publication calling the two-step SMS authentication insecure, which reverses the praises poured by Gizmodo less than a year ago.
The NIST and more and more bodies defend other multi-factor authentication methods, such as apps capable of generating single-use codes, physical devices that offer additional authentication - for example, USB keys - or services such as Google Prompt.
In Signaturit we offer two-step SMS authentication, but not as the base of our signature process, but as a complement to our biometric technology, which is what allows us to identify the signer in a unique way thanks to the biometric data from the signature.
Through biometric technology, we capture data from the the signer's signature - the stroke points, position, speed, acceleration, and in devices that allow it, also the pressure. This means that in case a signer does not recognize his/her signature, he/she can be required to repeat it during a judicial process.
Thanks to the biometric data collected with the very first signature, this can be compared with the biometric data collected in the signature repetition, and that will prove irrefutably who was the author of that signature.
This post is also available in Spanish.
- Eight recommendations for safe Internet browsing.
- Beyond your online reputation, what defines your digital identity and what legal rights are associated with it?
- Password managers: how do they work and which ones should you be installing?