Security: Consider Reconsidering Two-Factor Authentication via SMS

An article on Information Security Buzz highlights a problem with using SMS messaging to act as a second layer of authentication for online services.

According to the article, “researchers have exploited a flaw in the SS7 protocol to intercept one time passcodes (OTP) used by many online services to reset passwords”. What that means for people who use text message verification to confirm their logins or reset their passwords is that they can’t count on those messages being delivered, and that even if they’re delivered it’s entirely possible that they could have been intercepted.

Luckily, for most uses there are a few other options out there. My personal recommendation is to use applications that deliver Time-based One-time Passwords (TOTPs). The best of these reside on your device (e.g. smartphone, dedicated token, or PC) and generate new codes every 30-60 seconds. The generator doesn’t have to have a network connection to function, so no being able to receive a text message doesn’t matter, and there’s no SMS message or email or other communication to intercept. My personal favourite is Google Authenticator, which allows a wide variety of services to be configured by scanning QR codes, but there are many other options that do the same thing or offer a slightly different interaction for account setup or login verification.

Need help setting up two-factor authentication? Contact us today!

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.