Home » Technology News » Why you should not rely on two-step authentication via SMS

Why you should not rely on two-step authentication via SMS

It is always a good idea to enable two – step verification in all services to which you have access. Beyond a strong password, this layer of additional security is much more effective in ensuring that only you can access your data. The key is to require two factors in order to confirm the identity of the user: something that is known, something you have or something you are.

In the case of two-step authentication via SMS, it is assumed that the control of a telephone number to which a text message arrives is sufficient proof of identity to give access to an account. In the same way that having the bank’s debit card and knowing the PIN is the two identification factors in this case. However, since it has been shown that the use of SMS for this purpose is uncertain and therefore you should not use.

What is multifactor authentication?

Any method in which access to a computer system only when the user presents different pieces of evidence of identity, it is considered of multifactor authentication (MFA).

The two – step authentication, abbreviated 2FA (two – factor authentication) is a type of multifactor authentication that requires the combination of two different components to confirm the identity. Your ATM uses 2FA.

These factors are all based on the premise that it would be very difficult for an unauthorized entity can be done both at the same time. They can be things like: an object (USB memory, card, key, etc.), something that only the user knows (password, PIN), something that the user is (biometric features like fingerprints, voice, typing pattern, iris Eye, etc.).

About SMS and Two-Step Authentication

Using a mobile device as part of the two-step verification can be very convenient. It is something that the user always carries with him, is easy to use and has internet connection or cellular network to become necessary for authentication. Now, using SMS for this is not the best way to take advantage of it.

Text messages are often the weakest link in the two – step verification step, they are easy to intercept and should never assume their safety. With simple social engineering a malicious third party can convince your operator to redirect your messages to a different SIM card by intercepting all your access codes. It’s happened before.

Although using SMS as a second step is better than nothing, it can not really be classified as a correct factor to be considered two-step verification. An SMS is not something the user knows, not something you have or something that is. It is only information that reaches a device that has, as long as the operator sends them to the right person.

In fact, in mid-2016, the National Institute of Standards and Technology of the United States declared unsafe to SMS as a method of authentication in two steps and say they should be banned in the future due to several concerns.

It is very easy for anyone to get a phone and the operator of a website has no way to verify that whoever receives the code via SMS is the correct person. Not only that, but two – factor authentication based on SMS is also likely to be kidnapped if the individual uses a VoIP service.

All this without the serious defect in Signaling System Number 7 (SS7), the protocol used by most telecom operators to connect to each other when we make calls, send messages or share data over the Internet. Its outdated infrastructural makes it easy for the hacekrs can redirect calls and messages to their own devices.

What are the alternatives?

Instead of using something that sends you a third party as an SMS, use something you have. There are applications dedicated as Google Authenticator, Authy, RSA SecurID, OTP Authenticator, etc.

These apps generate codes that you’ll need to log in every time you want to log in to your accounts. The process varies a little depending on each service, sometimes you must log in by scanning a QR code or simply entering an alphanumeric key.

Another option is to use backup codes. These are very useful in case you lose your phone and you can not access the authentication application. Google offers the creation and display of a group of codes that can score in a safe place so you can access your accounts. These operate only once.

There are also physical products such as Yubikey, a USB key that functions as additional authentication factor. Obviously their “disadvantage” is that they cost money, but are much more comfortable than having to wait and enter codes manually every time we want to log on. With these types of options all we have to do is connect the device to a USB port to confirm our identity.

About

Leave a Reply

Your email address will not be published. Required fields are marked *

*
*

Tweets

Blog Roll

http://wikimodel.org/ Business and Tech Guide.

Top news from the Daily Express

SuperWebTricks Loading...