<html>

  <head>

    <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">

  </head>

  <body>

    <p>I wonder how much of this is moot because the amount of actual

      SS7 is low and getting lower every day. Aren't most "SMS" messages

      these days just SIP MESSAGE transactions, or maybe they use XMPP?

      As I understand a lot of the cell carriers are using SIPoLTE

      directly to your phone.<br>

    </p>

    <p>Mike<br>

    </p>

    <div class="moz-cite-prefix">On 4/18/21 8:24 AM, Mel Beckman wrote:<br>

    </div>

    <blockquote type="cite"

      cite="mid:0B6F5FAD-B686-4E54-8888-3B0D730C1191@beckman.org">

      <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">

      Although NIST “softened” its stance on SMS for 2FA, it’s still a

      bad choice for 2FA. There are many ways to attack SMS, not the

      least of which is social engineering of the security-unconscious

      cellular carriers. The bottom line is, why use an insecure form of

      communication for 2FA at all? Since very good

      hardware-token-quality OTP apps are freely available, why be so

      lazy as to implement 2FA using radically insecure SMS? 

      <div class=""><br class="">

      </div>

      <div class="">Your argument that 2FA is only meant to “enhance”

        the security of a memorized password is just wrong. 2FA is meant

        as a

        <i class="">bulwark </i>against passwords that very often are

        disclosed by data breaches, through no fault of the password

        owner. 2FA enhances nothing. It guards against the abject

        security failures of others. </div>

      <div class=""><br class="">

      </div>

      <div class="">Consider this sage advice from 2020, long after NIST

        caved to industry pressure on its recommendations.<br class="">

        <div class=""><br class="">

        </div>

        <div class=""><a

            href="https://blog.sucuri.net/2020/01/why-2fa-sms-is-a-bad-idea.html"

            class="" moz-do-not-send="true">https://blog.sucuri.net/2020/01/why-2fa-sms-is-a-bad-idea.html</a></div>

        <div class=""><br class="">

        </div>

        <div class="">  -mel</div>

        <div class=""><br class="">

          <div>

            <blockquote type="cite" class="">

              <div class="">On Apr 18, 2021, at 8:02 AM, William Herrin

                <<a href="mailto:bill@herrin.us" class=""

                  moz-do-not-send="true">bill@herrin.us</a>> wrote:</div>

              <br class="Apple-interchange-newline">

              <div class="">

                <div class="">On Sun, Apr 18, 2021 at 7:32 AM Mel

                  Beckman <<a href="mailto:mel@beckman.org" class=""

                    moz-do-not-send="true">mel@beckman.org</a>>

                  wrote:<br class="">

                  <blockquote type="cite" class="">SMS for 2FA is not

                    fine. I recommend you study the issue in more depth.

                    It’s not just me who disagrees with you:<br class="">

                    <br class="">

                    <a

href="https://www.schneier.com/blog/archives/2016/08/nist_is_no_long.html"

                      class="" moz-do-not-send="true">https://www.schneier.com/blog/archives/2016/08/nist_is_no_long.html</a><br

                      class="">

                  </blockquote>

                  <br class="">

                  Mel,<br class="">

                  <br class="">

                  That Schneier article is from 2016. The 3/2020 update

                  to the NIST<br class="">

                  recommendation (four years later and the currently

                  active one) still<br class="">

                  allows the use of SMS specifically and the PSTN in

                  general as an out<br class="">

                  of band authenticator in part of a two-factor

                  authentication scheme.<br class="">

                  The guidance includes a note explaining the social

                  engineering threat<br class="">

                  to SMS authenticators: "An out of band secret sent via

                  SMS is received<br class="">

                  by an attacker who has convinced the mobile operator

                  to redirect the<br class="">

                  victim’s mobile phone to the attacker."<br class="">

                  <br class="">

                  <a

                    href="https://pages.nist.gov/800-63-3/sp800-63b.html#63bSec8-Table1"

                    class="" moz-do-not-send="true">https://pages.nist.gov/800-63-3/sp800-63b.html#63bSec8-Table1</a><br

                    class="">

                  <br class="">

                  The bottom line is that an out-of-band authenticator

                  like SMS is meant<br class="">

                  to -enhance- the security of a memorized secret

                  authenticator, not<br class="">

                  replace it. If properly used, it does exactly that. If

                  misused, it of<br class="">

                  course weakens your security.<br class="">

                  <br class="">

                  Regards,<br class="">

                  Bill Herrin<br class="">

                  <br class="">

                  <br class="">

                  <br class="">

                  -- <br class="">

                  William Herrin<br class="">

                  <a class="moz-txt-link-abbreviated" href="mailto:bill@herrin.us">bill@herrin.us</a><br class="">

                  <a class="moz-txt-link-freetext" href="https://bill.herrin.us/">https://bill.herrin.us/</a><br class="">

                </div>

              </div>

            </blockquote>

          </div>

          <br class="">

        </div>

      </div>

    </blockquote>

  </body>

</html>