Malicious SS7 activity and why SMS should never by used for 2FA

Tom Beecher beecher at
Mon Apr 19 13:07:13 UTC 2021

HW tokens are great, sure.

Except there is a lot of overlap in the Venn diagram between those who
still use feature phones and those that spending $30 on said hardware token
is financially obtrusive. ( Not to mention that every hardware token I can
remember looking at requires an app to set themselves up in the first
place, and if this is for the people who can't install apps, that's an
interesting circular dependency. )

I'm not arguing for or against anything here honestly. I'm just pointing
out that we ( as in the technical community we ) have a tendency to put
forward solutions that completely ignore what might be reasonably feasible
for those of lower income , or parts of the world not as technologically
developed as we might be in ourselves, and we should try to shrink that gap
whenever possible, not make it worse.

On Mon, Apr 19, 2021 at 8:47 AM Mel Beckman <mel at> wrote:

> Then they can buy a hardware token. Using SMS is provably insecure, and
> for people being spear-phished (a much more common occurrence now that so
> much net worth data has been breached), a huge risk
>  -mel
> On Apr 19, 2021, at 5:44 AM, Tom Beecher <beecher at> wrote:
>> As far as I know, authenticators on cell phone apps don’t require the
>> Internet. For example, the Google Authenticator mobile app doesn't require
>> any Internet or cellular connection
> Lots of people still use feature phones that are not capable of running
> applications such as this.
> On Sun, Apr 18, 2021 at 9:05 AM Mel Beckman <mel at> wrote:
>> As far as I know, authenticators on cell phone apps don’t require the
>> Internet. For example, the Google Authenticator mobile app doesn't require
>> any Internet or cellular connection. The authenticated system generates a
>> secret key - a unique 16 or 32 character alphanumeric code. This key is
>> scanned by GA or can be entered manually and as a result, both the
>> authenticated system and GA know the same secret key, and can compute the
>> time-based 2nd factor OTP just as hardware tokens do.
>> There are two algorithms: HOTP and TOTP. The main difference is in OTP
>> expiration time: with HOTP, the OTP is valid until it hasn’t been used;
>> TOTP times out after some specified interval - usually 30 or 60 seconds.
>> For TOTP, the system time must be synced, otherwise the generated OTPs will
>> be wrong. But you can get accurate enough clock time without the Internet,
>> either manually using some radio source such as WWV, or by GPS or cellular
>> system synchronization.
>>  -mel
>> > On Apr 18, 2021, at 5:46 AM, Mark Tinka <mark at> wrote:
>> >
>> > 
>> >
>> >> On 4/18/21 05:18, Mel Beckman wrote:
>> >>
>> >> No, every SMS 2FA should be prohibited by regulatory certifications.
>> The telcos had years to secure SMS. They did nothing. The plethora of
>> well-secured commercial 2FA authentication tokens, many of them free,
>> should be a mandatory replacement for 2FA in every security governance
>> regime, such as PCI, financial account access, government web portals, etc.
>> >
>> > While I agree that SMS is insecure at the moment, I think there still
>> needs to be a mechanism that does not rely on the presence of an Internet
>> connection. One may not be able to have access to the Internet for a number
>> of reasons (traveling, coverage, outage, device, money, e.t.c.), and a
>> fallback needs to be available to authenticate.
>> >
>> > I know some companies have been pushing for voice authentication for
>> their services through a phone call, in lieu of SMS or DTMF-based PIN's.
>> >
>> > We need something that works at the lowest common denominator as well,
>> because as available as the Internet is worldwide, it's not yet at a level
>> that one would consider "basic access".
>> >
>> > Mark.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the NANOG mailing list