cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Caute_cautim
Community Champion

Is SMS 2FA Sufficient Login Protection?

Hi All

 

Given the recent Reddit security breaches and associated issues with SMS and 2FA authentication and NIST back in 2016 recommending that you do not use it.  Quite a few Telco's have switched to using SS7 signaling to protect themselves and their clients?  Is this sufficient?   What is your professional recommendations, given a lot of security groups are discussing this subject at the present time?

 

https://www.schneier.com/blog/archives/2005/03/the_failure_of.html

 

https://www.schneier.com/blog/archives/2016/08/nist_is_no_long.html

 

https://www.darkreading.com/endpoint/authentication/is-sms-2fa-enough-login-protection/d/d-id/133247...

 

https://www.schneier.com/blog/archives/2017/05/criminals_are_n.html

 

What would you recommend to your employers when asked about the subject?

 

Regards

 

Caute_cautim

11 Replies
Shannon
Community Champion

 

If we're talking about a system whose compromise will have a high impact on the organization, with the organization unwilling to accept the risk of this, my recommendation would be: 

 

Unless you completely trust the security of single-factor authentication used in the system AND have absolute faith in its users not becoming victims of phishing, social engineering, etc., consider 2-factor authentication.

 

 

An authentication system’s security / infallibility depends on multiple criteria including:

 

  1. An infallible authentication system: Flaws / vulnerabilities are continually discovered & often exposed in individual systems --- one should address these or else switch to a different system.
  2. Good security awareness of users: I’ve mentioned on a post on LinkedIn that a very common point of failure in any system is the end user --- so user-awareness can’t be overlooked.

Seeing both 1 and 2 --- particularly 2! --- being satisfied is often a fantasy, which is why why you'd want to use multi-factor authentication. With a layered approach, the probability of the whole system being compromised is reduced, even if one of its individual layers is.

 

Of course, how an organization chooses to perceive this may differ from what the truth is, and that in turn will depend on:

 

  1. Impacts of the system’s compromise on the organization
  2. Costs - benefits of employing multi-factor authentication

 

Conclusion: You reduce the risks by using 2-factor authentication in place of single-factor authentication.

 

(While I can't say anything about SMS through SS7, this is just one means of authentication, so alternate ones could be employed, rather that doing away with 2-factor authentication altogether)

 

 

Shannon D'Cruz,
CISM, CISSP

www.linkedin.com/in/shannondcruz
CraginS
Defender I

@Caute_cautim asked if SMS across the telco infrastructure (Signal System 7/SS7) as the second factor in two-factor authentication (2FA) provides sufficient protection for system login. As asked, the question cannot be answered for two key reasons. First, the word sufficient is a subjective term, providing no basis for measurable evaluation of whether any tool or process is sufficient. Second, the question can only be answered when asked in a clearly defined context. Sufficiency can be judged only when we have clearly defined measurable criteria plus the environmental context.


To illustrate the argument, consider physical security provided by a door with installed lock. We define several levels of measurable resistance to intrusion through that locked door based on the type of attempt to get in.

 

Here is a suggested hierarchy of attempt types:
1. Simply turning the handle to see if it is locked.
2. Using a card or shim to push back the latch of the locked handset.
3. Time required for an experienced knowledgeable lock-picker to pick the lock.
4. Breaking the lock with brute force, such as a hammer.
5. Breaking a hole in the door, allowing the intrucer to reach through the hole and unlock or open the door from the inside.
6. Breaking the entire door open enough to walk in without dealing with the lock.

 

For environmental context, consider where the locked door is, what it is protecting, and who is trying to enter.
Where:
1. Bedroom in a private single family home.
2. Front door of an apartment in a controlled access apartment building.
3. External door of a private home in publicly accessible residential neighborhood.
4. External door of a dry cleaning establishment.
5. External door of a jewelry store.
6. External door of a Google or Amazon or IBM cloud service provider (CSP) facility.
I7. nternal door to the server farm room at a CSP facility.


The door is protecting the following:
1. Personal privacy in the bedroom.
2. Valuable items in storage, e.g. cash, jewelry, artwork, firearms, etc.
3. Sensitive information.
4. Legally protected information.

 

Who is trying to enter?
1. Family child wanting water.
2. Family teen snooping for cash or parents' adult entertainment magazines and videos.
3. Burglar.
4. Identity thief.
5. Corporate spy.
6. Nation-state spy.


Define your measurable level of protection, where and what you are protecting, and who you are protecting against (implied motivation) and you will finally be able to determine what is sufficient. You have so many options: The door can be hollow core, solid core with windows, solid core without windows, or steel. The lock can be internal latch opened with nail or screwdriver, simple latch with lockset, deadbolt, double-throw deadbolt, lock-pick resistant with custom key, etc.


Other analogous discussions can use the standards for safes resisting entry attempts, and for fire-resistant storage boxes.


@Shannon hinted at some of these issues in the previous reply.

D. Cragin Shelton, DSc
Dr.Cragin@iCloud.com
My Blog
My LinkeDin Profile
My Community Posts
Caute_cautim
Community Champion

Thank you for your comments; obviously you are more prone to picking out the semantics, rather than engaging in a meaningful dialogue.

Good luck to you both
Caute_cautim
Community Champion

In light of my colleagues previous comments:  I go back to the following link and background: The context is the use of SS7 within private telecommunications networks, and increasing number of 2FA hacks occurring via SMS as part of the authentication dialogue.  NIST states it no longer recommends the use of two factor authentication for SMS.   https://www.schneier.com/blog/archives/2016/08/nist_is_no_long.html

 

https://www.wired.com/2017/05/fix-ss7-two-factor-authentication-bank-accounts/

 

Should Telecommunications Providers ensure that the security aspects of SS7 are fully enabled?

 

Or should additional security awareness be provided to ensure that the general public are aware, and make their own choices?

 

Caute_cautim

CraginS
Defender I

John, 


@Caute_cautim wrote:
 engaging in a meaningful dialogue.

And I fully agree with working for meaninful dialog. Thank you for the clarification.

 

In our field, semantic clarity and context are both essential to meaningful dialog. As an example, many years ago I watched a U.S. Navy Commander and a Department of Defense GS-14 civilian engage in a raucous shouting match argument over how to implement network boundary protections using firewall and router rules. They are both experts in the field, and in fact were in total agreement on how to proceed. The vigorous argument was the result of failing to clearly define the key term "protocol." Each had in mind a slightly different definition, both legitimate, but because of the differences in their minds, they thought they had differing positions; they did not.

 

Now, on to the question at hand of whether or how to use SMS as a second factor in 2FA for system login. It would be great to ask the TELCOs to update the level of security off SS7 equipment. However, I believe it is nearly impossible to do so. SS7 technology far predates current levels of awareness and concern over telecommunication security and privacy. The stages of first designing suitable upgrades to SS7  systems, then the tremendous cost of upgrading the multi-enterprise infrastructure of SS7 equipment would be prohibitive.

 

I'd suggest taking a different tack, by using newer crypto-based digital technology such as FIDO U2F token devices like those marketed by YubiKey. A recent public relations item noted that Google is now using such devices for 2FA access to their internal servers.

 

The obvious challenge with a FIDO U2F solution is how to get the devices into the hands of consumers, who seem to want their smartphones to work all magic for them.

 

Another possibility, although potentially less secure, is to increase use of a smartphone app that generates a registered RSA SecurID code, analogous to the SecurID token.

 

A challenge common to both the FIDO U2F and RSA SecurID processes is how to make a single device or token usable across multiple unrelated enterprises. None of want a keyrung full of YubiKeys or SecurID tokens, each for a different site.

 

D. Cragin Shelton, DSc
Dr.Cragin@iCloud.com
My Blog
My LinkeDin Profile
My Community Posts
Shannon
Community Champion

@Caute_cautim, the question as you first posed it is vague. The heading was 'Is SMS 2FA Sufficient Login Protection?,' and the post ended with 'What would you recommend to your employers when asked about the subject?'

 

 

Let's take a fictitious scenario here:

 

Employer: I need to secure authentication to a system. Do you think SMS 2FA would be adequate?

Employee: Not really, particularly given the fact that NIST doesn't recommend using it anymore.

Employer: Great! I will give you details of the system, and you can provide the cost-benefit analysis.

Employee: No problem. So what system are you referring to?

Employer: It's the account that we provide to staff to engage in casual chats on the our site's forum.

 

As @CraginS said, context is an important factor. An entity / organization won't take a call on securing their systems merely based on industry news or NIST's recommendations --- they'll consider the business-value of what they are trying to protect, and the costs - benefits of protecting it.

 

 

Since you made a reference to an employer asking this, let me advise you on how to handle it: If it's related to business, 1st ensure that you have enough info about what you're trying to secure, and then provide a verbal recommendation. To formalize that, gather all information about the system, assess it, perform a risk analysis, and finally submit the report to your employer, with your recommendation...

 

 

Shannon D'Cruz,
CISM, CISSP

www.linkedin.com/in/shannondcruz
Caute_cautim
Community Champion

Okay:  Thank you for your responses.   It seems to me its another case of the general public, having to be made aware and to make appropriate decisions.  But in this case, depending on the country, provider etc, they may have no choice whatsoever.

 

Regards

 

Caute_cautim

https://www.linkedin.com/in/john-martin-6045821

 

arnold
Newcomer I

If the assumption is the information assets being protected are critical and confidentiality is key, and you can only use SMS 2FA, then you must have done due delligence to check the communications network provider to ensure they have at the very least done the following as recommended by GSMA and security scholars to limit possible access to the authentication messages.

 

1. Implementation of GSMAs latest versions of GSMA FS.11: SS7 Monitoring, GSMA FS.07: SS7 filtering, GSMA IR.82: Security SS7 implementation on SS7 network guidelines, GSMA FS.19: Diameter interconnect security, GSMA IR.88: LTE roaming guidelines, GSMA IR.77: Inter-Operator IP Backbone Security Requirements, GSMA IR.67: DNS and ENUM guidelines for Service Providers & GRX and IPX, Providers

 

2. 3GPP TS 33.117, TS 33.116 or TS 33.250: Security Assurance on critical nodes.

 

I have also also come accross alternatives that suggest the use of bidirectional SMS flow, where the a factor is sent by SMS and also on a view resource and users will need to send a reply to the the authenticator with the code in the view resource, with access to the SS7 network, authenticator is able to know if this is from an attacker.

 

I however have to mention like others have written the measure is important, As you may be aware;

1. SMS messages for most network providers are transmitted in plain text within the so called "walled garden" so one with access to SS7 can access them. Even where the above controls are in place, within the network, network engineers within the said network can see these messages if they choose to check the SMS data ques, or run packet tracers.

 

2. The air interface between the mobile device and the base station should be using strong ciphers, they are networks that are still using A5/1, A5/2 which are concidered weak, making the SMS susceptable to attacks over the air interface. 

 

Like another said, if you require to authenticate staff to casual chatting forum, you probably would not worry about access to your second factor, but for another private research organisation having  high e-level discussions about their new successful ability to make heavy metal elements(read uranium or Gold) from iron SMS 2FA should never be on the options table, other alternatives at the minimum Fast Identity Online.

TimG
Newcomer III

Horses for courses, I guess.

SMS 2FA isn't great, but it's convenient (unless like me you work in what seems to be a Faraday cage so my second authentication factor is the office windowsill). If a compromise won't ruin anyone's life then it's probably worth a punt. Note that some services provide blocks of one-time codes in a single message. If someone misuses one of your codes, your attempt to use it or an earlier one in the sequence will fail so at least you're alerted. That might be enough of an assurance, depending your use case.

Authenticator apps are getting better, but if all the systems you wish to secure can be found in the ecosystem of just one authenticator app you've struck lucky. We do need some sort of assurance about the quality of the app, the underlying service and the state of the user's mobile device, though, so selecting and rolling out the app may be more difficult at the outset.

Microsoft supports FIDO keys now, Google's just announced that it's launching its own, and Cisco has just bought Duo. The big guys are getting in on the act, though whether that will help drive prices down or reduce market fragmentation remains to be seen.