Malicious SS7 activity and why SMS should never by used for 2FA

William Herrin bill at
Sun Apr 18 19:47:36 UTC 2021

On Sun, Apr 18, 2021 at 12:03 PM John Adams <jna at> wrote:
> On top of this most TOTP and HOTP systems have additional security checks
like blocking reuse of codes, rate-limiting of guesses, and in some cases
acceptance of earlier codes (in TOTP) if the clock skews too far that make
them much stronger options which decreases security but is certainly more
of a convenience factor.

Hi John,

On a site, the symmetric key used to generate the TOTP code is stored in
the same database as the user's password. Unencrypted or with readily
reversible encryption since unlike a password it can't be verified by
comparing ciphertext. Your protection is that every site uses a different
TOTP key, just like you're supposed to use a different password, so
compromise of a single site doesn't broadly compromise you elsewhere. It
can also be captured with malware on your phone, the same place an
adversary will sniff your password, which -will- broadly compromise you if
you're also entering the passwords on your phone.

None of these authentication schemes are magic. They all have attack
vectors with varying degrees of difficulty, none of which are particularly
harder than breaking a well chosen password. 2FA doesn't solve this. All it
does is require an adversary to break -two- completely different
authentication schemes in close enough proximity that you won't have closed
the first breach before they gain the second. That's it. That's all it

While attacks on SMS are certainly practical, stop and think for a moment
on how you would scale them up and break 10000 accounts per day. Got a plan
where you're not caught in the first two days? No, you don't.

SMS is not a strong authentication factor. When used well, it's not
intended to be. It's meant to require an adversary to do enough extra work
after having already captured your password that unless they're
specifically targeting you, the odds favor discovering and correcting the
original breach before much harm can be done. For that use and that use
only, it performs about as well as TOTP.

If you can reset your email password with an SMS message and reset your
bank password with an email then SMS has been misused as a very weak single
factor authentication process. Not because SMS offers weak authentication
(that's all it's meant to offer) but because it was used incorrectly in a
process that needed strong authentication.

Bill Herrin

William Herrin
bill at
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the NANOG mailing list