Malicious SS7 activity and why SMS should never by used for 2FA
Mark Tinka
mark at tinka.africa
Sun Apr 18 12:44:00 UTC 2021
On 4/18/21 05:18, Mel Beckman wrote:
> No, every SMS 2FA should be prohibited by regulatory certifications.
> The telcos had years to secure SMS. They did nothing. The plethora of
> well-secured commercial 2FA authentication tokens, many of them free,
> should be a mandatory replacement for 2FA in every security governance
> regime, such as PCI, financial account access, government web portals,
> etc.
While I agree that SMS is insecure at the moment, I think there still
needs to be a mechanism that does not rely on the presence of an
Internet connection. One may not be able to have access to the Internet
for a number of reasons (traveling, coverage, outage, device, money,
e.t.c.), and a fallback needs to be available to authenticate.
I know some companies have been pushing for voice authentication for
their services through a phone call, in lieu of SMS or DTMF-based PIN's.
We need something that works at the lowest common denominator as well,
because as available as the Internet is worldwide, it's not yet at a
level that one would consider "basic access".
Mark.
More information about the NANOG
mailing list