Malicious SS7 activity and why SMS should never by used for 2FA

• Previous message (by thread): Malicious SS7 activity and why SMS should never by used for 2FA
• Next message (by thread): Malicious SS7 activity and why SMS should never by used for 2FA
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

>
> As far as I know, authenticators on cell phone apps don’t require the
> Internet. For example, the Google Authenticator mobile app doesn't require
> any Internet or cellular connection
>

Lots of people still use feature phones that are not capable of running
applications such as this.

On Sun, Apr 18, 2021 at 9:05 AM Mel Beckman <mel at beckman.org> wrote:

> As far as I know, authenticators on cell phone apps don’t require the
> Internet. For example, the Google Authenticator mobile app doesn't require
> any Internet or cellular connection. The authenticated system generates a
> secret key - a unique 16 or 32 character alphanumeric code. This key is
> scanned by GA or can be entered manually and as a result, both the
> authenticated system and GA know the same secret key, and can compute the
> time-based 2nd factor OTP just as hardware tokens do.
>
> There are two algorithms: HOTP and TOTP. The main difference is in OTP
> expiration time: with HOTP, the OTP is valid until it hasn’t been used;
> TOTP times out after some specified interval - usually 30 or 60 seconds.
> For TOTP, the system time must be synced, otherwise the generated OTPs will
> be wrong. But you can get accurate enough clock time without the Internet,
> either manually using some radio source such as WWV, or by GPS or cellular
> system synchronization.
>
>  -mel
>
> > On Apr 18, 2021, at 5:46 AM, Mark Tinka <mark at tinka.africa> wrote:
> >
> > 
> >
> >> On 4/18/21 05:18, Mel Beckman wrote:
> >>
> >> No, every SMS 2FA should be prohibited by regulatory certifications.
> The telcos had years to secure SMS. They did nothing. The plethora of
> well-secured commercial 2FA authentication tokens, many of them free,
> should be a mandatory replacement for 2FA in every security governance
> regime, such as PCI, financial account access, government web portals, etc.
> >
> > While I agree that SMS is insecure at the moment, I think there still
> needs to be a mechanism that does not rely on the presence of an Internet
> connection. One may not be able to have access to the Internet for a number
> of reasons (traveling, coverage, outage, device, money, e.t.c.), and a
> fallback needs to be available to authenticate.
> >
> > I know some companies have been pushing for voice authentication for
> their services through a phone call, in lieu of SMS or DTMF-based PIN's.
> >
> > We need something that works at the lowest common denominator as well,
> because as available as the Internet is worldwide, it's not yet at a level
> that one would consider "basic access".
> >
> > Mark.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20210419/7ad17780/attachment.html>

• Previous message (by thread): Malicious SS7 activity and why SMS should never by used for 2FA
• Next message (by thread): Malicious SS7 activity and why SMS should never by used for 2FA
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]