G&D: How Secure is an SMS in Authenticating Identities?
SMS as a 2nd factor of authentication is not as safe as once imagined – but there are secure alternatives such as FIDO that can deliver a solution that satisfies service providers, and end consumers, whilst also maintaining regulatory compliance.
Vulnerabilities of SMS authentication
We are all familiar with SMS confirmations as part of a mobile or web sign-on process, and many people might consider it a fairly convenient and safe way to authenticate identities. But is it really as safe as it should be? Reports over the last couple of years suggest not. A high-profile attack on US Black Lives Matter activist and politician DeRay Mckesson in 2016 illustrated the vulnerabilities of SMS authentication. Mckesson’s twitter account suddenly started endorsing Donald Trump, something completely out of character for the activist. His account had been hacked. It wasn’t, however, a password breach; it was a two-factor authentication issue, where SMS was being used as the second authentication channel.
Someone had taken control of Mckesson’s account by convincing his mobile phone provider to reset his SIM. In turn, this allowed the hacker to set it up to intercept text messages and bypass the two-factor authentication (2FA) that should have kept his account secure. This wasn’t an isolated case. In 2017 hackers succeeded in exploiting the SS7 channel using stolen 2FA SMS codes to empty mobile users bank accounts in Germany, and just as recently as last week, Reddit announced that their database had been hacked via an SMS intercept attack. As a result, Reddit announced it is moving away from SMS-based authentication.
Attitudes, however, are changing. NIST (the US National Institute of Standards & technology) has decreed that SMS is no longer a valid channel for 2FA due to the perceived security risks. Nevertheless, in an open banking environment, now regulated by the EU’s PSD2 (Payment Services Directive 2), where third-party providers can offer new banking services through an open API infrastructure, secure two-factor authentication becomes ever more important.
FIDO offers a smart, secure solution
2FA SMS is highly dubious particularly in the face of PSD2 requirements. The main issue derives from the fact that one of the authentication factors has to be transferred over a remote (yet very secure) channel. Thankfully, banks and other service providers are not restricted to using SMS. The increasing prevalence of biometric-based smartphones and open standards, such as FIDO (Fast Identity Online), offer a way forward. This can come in the form of a smartphone coupled with private/public key pairs and a challenge/response protocol.
FIDO hides the complexity from the end user, providing for a smooth and simple user experience. To someone logging into their banking app using FIDO, they may simply use a biometric method, such as a fingerprint, and they are authenticated securely into the app. Unaware to the user, the second factor in the 2FA process happens entirely in the background using the FIDO private key and the FIDO challenge/response protocol between the device and a bank hosted FIDO server.
Convego Mobile Authentication
At a time when consumers are using smartphones more than computers to access digital services, such as banking, access needs to be simple, yet highly secure. FIDO delivers this simply and elegantly, while also keeping costs down for the service provider who no longer needs to rely on additional hardware such as token generators.
FIDO meets the requirements of users, regulators and service providers by being simple, secure and cost-effective. G+D Mobile Security’s Convego Mobile Authentication solution is already delivering FIDO biometric based, PSD2 compliant, strong customer authentication to millions of users worldwide.