Many corporate and consumer-based systems and applications deploy short message service (SMS)-based two-factor authentication technology to help protect users from being hacked. This method of two-factor authentication is fairly simple; a user will log onto an app or system using their username and password, and then a unique security code is generated by an algorithm within the app, which is then sent to the user's phone via a text message. If that code is correctly entered into the system when prompted, it theoretically will authenticate the person trying to log into the system.
However, SMS-based authentication is rife with security holes. Alex Weinert, Microsoft's director of identity security, published a blog post in early November highlighting the immense risk of continuing to use SMS-based codes to authenticate users, given the ability of hackers to either intercept the codes while they're being sent (basic SMS messages are unencrypted), or to simply carry out a scheme known as subscriber identity module (SIM)-card swapping, or SIMjacking.
SIMjacking is a technique through which a criminal will call a user's wireless company and use information gathered about the user (including personal data garnered via phishing schemes, guessing answers to challenge questions, and exploiting the empathetic nature of humans) to have a phone's SIM card transferred to their account, giving them access to the user's SMS messages, including authentication texts.
"SIM-based multi-factor authentication is probably one of the most popular MFA methods on the Internet, if not the most popular, meaning that almost every company you deal with uses these SMS-based MFA solutions, and you really don't have a choice," says Roger Grimes, author of Hacking Multifactor Authentication, and a Data-Driven Defense Evangelist at KnowBe4, a security awareness education company. "Not only is [SMS] a poor authenticator, it is fairly easy to hack, but many times you can't opt out of it."
That's why security professionals suggest the use of multi-factor authentication applications, which are designed to reside on each physical device and do not require the use of SMS-based authentication codes. Authentication applications, which have been released by both large companies (Google Authenticator, Microsoft Authenticator) and independent software vendors (Twilo Authy, LogMeIn LastPass Authenticator, and Duo Mobile) generally only require a data connection during the initial set-up process, which involves installing the application on a smartphone, then configuring it to work with each account to be protected. Each account provides a secret key that is shared over a secure data channel to the authenticator app, and is used for all future logins.
To log into such a site, the user will provide credentials (a username and password to the site); an algorithm then generates codes using the current time on the device and the shared secret key, in order to generate a one-time password, then asks the user to enter it. The user runs the Authenticator app, which independently computes and displays the same password, which the user types into the site, authenticating their identity.
The additional complexity will deter and stop most casual attackers, who would need both login credentials and the physical device containing the authenticator app. Because the codes are generated within the app itself, SMS codes are not required, ensuring authentication can occur in areas with little or no cellular reception.
That said, authentication apps can be more complex to install and administer, especially for consumers that lack a technical background. That is one reason why many financial institutions still rely on SMS-based authentication, according to Paul van Oorschot, professor of computer science at Carleton University, ACM Fellow, and author of Computer Security and the Internet: Tools and Jewels. Van Oorschot says corporate enterprises have leverage over workers; they may simply refuse to grant workers access to their applications unless an authentication application is used, and they usually provide some nominal support to ensure it is working. However, consumer-focused organizations such as banks often don't have the necessary technical expertise, and are unable to provide the support needed for authentication apps.
"You have to make sure your end-users download the proper app, and make sure it's not malicious software," van Oorschot says, noting that MFA apps can be challenging to install and configure for non-technical customers. What's more, any additional steps, such as using three-factor authentication to further secure an account, may be considered a hassle by end-users, which could be considered a competitive disadvantage. "If one bank uses three factors to authenticate users, and another uses two factors, people may just migrate to the bank where it is easier to use," van Oorschot says.
Regardless of the method or number of factors used to authenticate users, MFA apps may provide a false sense of security to users simply because security breaches are more often due to social engineering (using deception to manipulate people into providing confidential or personal information that will be used for fraudulent purposes), rather than any technological security flaws.
"Unpatched software is responsible for about 20% to 40% of today's malicious data breaches, whereas social engineering is involved in 70% to 90%," Grimes says, noting that social engineering-based attacks don't require a hacker to physically access a device or platform, and have been successful against vulnerable groups of people, such as senior citizens, as well as supposedly security-aware workers and consumers.
"When giving an MFA solution to an end-user, administrators should educate them about the types of attacks that they need to be aware of," Grimes says. "Handing somebody an MFA solution, and going, 'here you go -- it's to protect you and make it harder to attack or harder to hack'," may cause some users to think they're invulnerable to all types of hacking behavior, which simply isn't true."
Keith Kirkpatrick is principal of 4K Research & Consulting, LLC, based in New York, NY, USA.