Malicious SS7 activity and why SMS should never by used for 2FA

• Previous message (by thread): Malicious SS7 activity and why SMS should never by used for 2FA
• Next message (by thread): Malicious SS7 activity and why SMS should never by used for 2FA
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Sun, Apr 18, 2021 at 7:32 AM Mel Beckman <mel at beckman.org> wrote:
> SMS for 2FA is not fine. I recommend you study the issue in more depth. It’s not just me who disagrees with you:
>
> https://www.schneier.com/blog/archives/2016/08/nist_is_no_long.html

Mel,

That Schneier article is from 2016. The 3/2020 update to the NIST
recommendation (four years later and the currently active one) still
allows the use of SMS specifically and the PSTN in general as an out
of band authenticator in part of a two-factor authentication scheme.
The guidance includes a note explaining the social engineering threat
to SMS authenticators: "An out of band secret sent via SMS is received
by an attacker who has convinced the mobile operator to redirect the
victim’s mobile phone to the attacker."

https://pages.nist.gov/800-63-3/sp800-63b.html#63bSec8-Table1

The bottom line is that an out-of-band authenticator like SMS is meant
to -enhance- the security of a memorized secret authenticator, not
replace it. If properly used, it does exactly that. If misused, it of
course weakens your security.

Regards,
Bill Herrin



-- 
William Herrin
bill at herrin.us
https://bill.herrin.us/

• Previous message (by thread): Malicious SS7 activity and why SMS should never by used for 2FA
• Next message (by thread): Malicious SS7 activity and why SMS should never by used for 2FA
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]