For the longest time, banks and other companies are using the SMS-based (short message service or text) to authenticate clients’ accounts as part of two-factor authentication (2FA). It was believed to be safe because it bypasses the use of bots and cybercriminals posing as legitimate clients.
It turns out that this is a myth.
“If you have the option to use SMS vs any other way, I would choose any other way instead of SMS,” said Fernando Serto, head of Security Technology and Strategy at Akamai, Asia-Pacific and Japan.
He explained that it is easy to clone SIM cards and users’ numbers can end up in the hands of cybercriminals.
In a recent post, cybersecurity firm Kaspersky echoed those same “sentiments” saying that one-time passwords are very much preferred over SMS for the following reasons:
- It’s easy to sneak a peek at passwords sent by SMS if lock-screen notifications are enabled.
- Even if notifications are turned off, a SIM card can be removed and installed in another smartphone, giving access to SMS with passwords.
- Password-bearing SMS can be intercepted by a Trojan lurking inside the smartphone.
- Using various underhanded tactics (persuasion, bribery, etc.), criminals can get hold of a new SIM card with the victim’s number from a mobile phone store. SMS will then go to this card, and the victim’s phone will be disconnected from the network.
- SMS with passwords can be intercepted through a basic flaw in the SS7 protocol used to transmit.
SMS or the other way? Choose the other way
Serto said using multifactor authentication is a must especially if people are using their banks’ online services. He also suggested using a password manager so users will remember only one password.
Even in world’s most famous “hacker” Kevin Mitnick’s book “The Art of Invisibility,” he strongly advises using one password and suggests the 1Password. Users will only have to remember one password and the password manager will generate unique passwords every log-in for different websites.
On its blog, Kaspersky said the one-time password can be stored, yes, on paper or encrypted in a password manager. Passwords managers are not free but if people can subscribe to Spotify and Netflix for a couple of dollars, these security services are way cheaper for the peace of mind they give online users.
“It’s not all that important whether the codes are kept in physical or digital format — what matters is that they (1) do not get lost and (2) cannot be stolen.”
Akamai’s Serto also added to use an Authenticator specifically Google Authenticator.
Kaspersky said the Authenticator App is very easy to use. Just install the authenticator app on the smartphone. Then indicate on the security settings which services will be used with the Authenticator. Select 2FA (assuming the option exists); the service will show a QR code that can be scanned directly into the 2FA app. The app will generate a one-time code every 30 seconds when users scan the QR code with the app.
Kaspersky considers the following as the best apps for two-factor authentication: Google Authenticator, Duo Mobile, Microsoft Authenticator, Free OTP, Authy, and Yandex.Key.
Back to basics: Physical keys
Then there are the FIDO U2F hardware authenticators such as Yubikey.
According to Kaspersky’s blog, “If an app generating one-time codes seems a too-flimsy and intangible way to protect your accounts, and you want something more solid and reliable that locks your account with a key that literally goes in your pocket, then look no further than hardware tokens based on the U2F (Universal 2nd Factor) standard, created by the FIDO Alliance.”
The U2F hardware tokens can be connected to any device. Just register it in a compatible service to use. It’s basically a “key” for users to open connected services. In setting up, just insert the key to a device, confirm the login to the service, and tap the token button.
Kaspersky advises having duplicates just like any keys. Attach one to car keys or house keys and store the other in a safe place. The firm also suggests to use different types of keys: an authenticator app on the smartphone as the primary one and a U2F token or a slip of paper with one-time passwords in your safe as a backup.
Ultimately, using SMS-based authentication is not highly recommended. However, banks and other services still require users to use this service to authenticate ownership of accounts.
Serto said some airlines are exploring the use of multifactor authentication. It’s now up to the clients and users whether to opt for SMS or password manager or physical keys.
Image from Kaspersky blog