SECURITY: SMS should NOT be used for 2FA

*** begin quote ***

“The company that routes SMS for all major US carriers was hacked for five years. It isn’t revealing whether or not messages were exposed, but it’s just another reason not to use SMS for 2FA.”

*** end quote ***

So for the average layman, it means that if any service provider texts codes to your phone as a way of security your account, they are at risk of a security breach.

I’ve begin communicating with the providers I use putting them on notice that (1) they are using a insecure technology to secure my account; and (2) when do they plan to switch to a phone based authentication technology or something better.

Now, if they say they use GOOGLE or APPLE authenticator, you can point out that those too are insecure by design.  Since a hack of either high profile target, will make you vulnerable.

Using the “home grown” authenticator, (something written by the service provider like IDME), doesn’t have the transparency of the source code to assure security.

Any “home grown” authenticator, Google, orApple authenticators does NOT separate the necessary sufficient controls for good Information Security.

Suggest you tell them support AUTHY or other third party authenticators.  This is more secure because the “key” is only held by them and by you locally on your phone.

Or if they really want to protect you, they can give you are hardware token like YUBIKEY or a hardware authenticator like SECURE_ID.

—30—

Please leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s