2 Factor Authentication

So on the latest lvl1teks news, Wendell says that you shouldn't use 2 factor authentication by text message because basically the system is shit. My question then is, should we just not use phones as part of the whole 2 factor authentication process completely then? Like, should phones be completely left out of the 2 factor authentication process?

A phone based digital token OTP system is fine. Not perfect, but better than nothing. use FreeOTP if you want to audit the code yourself or don't trust google auth

I'm not sure if we're on the same page. I'll give an example, Google's 2 factor authentication for Google accounts. I didn't mean by like phone software apps. I'm not sure if that still applies though.

You may want to edit this bit then. Digital token OTP on phones is, by every metric, phone-based 2fa.

1 Like

Okay, so on the phone side of things in that manner it seems to be acceptable, but if for the example that I gave it seems to be unreasonable, right?

I've not seen the latest news. But the general consensus is that SMS as a technology is no longer considered appropriate for 2FA where there is any measure of security or authenticity required of the code actually being sent.

It was removed from the latest standards for passwords and authentication as a valid secure means of a second factor.

That doesn't mean that other phone based second factors are not valid.

Edit: These are the updated guidelines I was referencing


Not really knowledgable about this myself, but as I understand this was only referring to plain text authentication codes. I never used the Google 2FA myself, so I'm not sure how it works exactly, but as long as the traffic is encrypted and/or can't be (easily) intercepted this shouldn't be an issue.

When I use it I just get a notification that has two buttons, "yes" or "no". Nothing via text

I wish Wendell would reply to this for clarification purposes

I mean.. Im sure @wendell might.

I should actually revise my post.

Having looked a little closer at the final released version of the new guidelines. SMS wasn't removed as a depreciated second factor. Reading some of the discussion the consensus seems to have come to two conclusions.

  1. That SMS is not secure.
  2. But that depreciating it would be detrimental to the uptake of 2FA

The final release of 800-63b seems to have come to a balance. SMS wasn't depreciated but it was changed in how it can be used.

out of band authenticators must either use a protected channel (encryption) or using a public mobile telephone network with SIM or unique identifier only if it is sent via PSTN. i.e. you cannot send an SMS authenticator via VoIP.

They add additional requirements for authenticators using PSTN (SMS over the phone network) Authentication using the Public Switched Telephone Network

Use of the PSTN for out-of-band verification is RESTRICTED as described in this section and in Section 5.2.10. If out-of-band verification is to be made using the PSTN, the verifier SHALL verify that the pre-registered telephone number being used is associated with a specific physical device. Changing the pre-registered telephone number is considered to be the binding of a new authenticator and SHALL only occur as described in Section 6.1.2.

Verifiers SHOULD consider risk indicators such as device swap, SIM change, number porting, or other abnormal behavior before using the PSTN to deliver an out-of-band authentication secret.

NOTE: Consistent with the restriction of authenticators in Section 5.2.10, NIST may adjust the RESTRICTED status of the PSTN over time based on the evolution of the threat landscape and the technical operation of the PSTN.

  • Its classed as a restricted authenticator.

Essentially from what I read (Sc 5.2.10) this means that (among other requirements) the implementor must assess the risk of using that type of authenticator and must accept that the risk will rise over time. At any time the risk becomes unacceptable the authenticator method becomes invalid.

The validity and security of an authenticator sent via SMS cant be verified by you as an end user. Unlike other systems that use encryption to stop eavesdropping or MitM attacks, the PSTN system isnt encrypted. It was initially depreciated because the system is easy to attack, but was changed via the discussion linked above.

The fact is it can be intercepted without your knowledge and changed (compromise of confidentiality, integrity of the authenticator primarily) if they want to, but they deamed that it would be unlikely to happen except by state actors (or if you were targeted by anyone with a grudge and a little knowhow)

1 Like

I think I'll remove 2 factor authentication text message options from my accounts. I remember the mass hacking from the Poodlecorp events and I've seen some defcon event videos where they seem to be getting in pretty easily. Seems like it would make sense because if the phone/SIM is reactived in someone else's possession and a verification code is sent to that phone, it seems quite possible that they could use that information to recover accounts under their possession. I mean, it seems like it some cases they wouldn't need to recover it, they could just log in.

If you don't replace it with another 2FA then keep using it. Any 2FA is far better than none.

Remember the point is it's a second factor. With just one your account is far easier to break into.

1 Like