<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<p>I wonder how much of this is moot because the amount of actual
SS7 is low and getting lower every day. Aren't most "SMS" messages
these days just SIP MESSAGE transactions, or maybe they use XMPP?
As I understand a lot of the cell carriers are using SIPoLTE
directly to your phone.<br>
</p>
<p>Mike<br>
</p>
<div class="moz-cite-prefix">On 4/18/21 8:24 AM, Mel Beckman wrote:<br>
</div>
<blockquote type="cite"
cite="mid:0B6F5FAD-B686-4E54-8888-3B0D730C1191@beckman.org">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
Although NIST “softened” its stance on SMS for 2FA, it’s still a
bad choice for 2FA. There are many ways to attack SMS, not the
least of which is social engineering of the security-unconscious
cellular carriers. The bottom line is, why use an insecure form of
communication for 2FA at all? Since very good
hardware-token-quality OTP apps are freely available, why be so
lazy as to implement 2FA using radically insecure SMS?
<div class=""><br class="">
</div>
<div class="">Your argument that 2FA is only meant to “enhance”
the security of a memorized password is just wrong. 2FA is meant
as a
<i class="">bulwark </i>against passwords that very often are
disclosed by data breaches, through no fault of the password
owner. 2FA enhances nothing. It guards against the abject
security failures of others. </div>
<div class=""><br class="">
</div>
<div class="">Consider this sage advice from 2020, long after NIST
caved to industry pressure on its recommendations.<br class="">
<div class=""><br class="">
</div>
<div class=""><a
href="https://blog.sucuri.net/2020/01/why-2fa-sms-is-a-bad-idea.html"
class="" moz-do-not-send="true">https://blog.sucuri.net/2020/01/why-2fa-sms-is-a-bad-idea.html</a></div>
<div class=""><br class="">
</div>
<div class=""> -mel</div>
<div class=""><br class="">
<div>
<blockquote type="cite" class="">
<div class="">On Apr 18, 2021, at 8:02 AM, William Herrin
<<a href="mailto:bill@herrin.us" class=""
moz-do-not-send="true">bill@herrin.us</a>> wrote:</div>
<br class="Apple-interchange-newline">
<div class="">
<div class="">On Sun, Apr 18, 2021 at 7:32 AM Mel
Beckman <<a href="mailto:mel@beckman.org" class=""
moz-do-not-send="true">mel@beckman.org</a>>
wrote:<br class="">
<blockquote type="cite" class="">SMS for 2FA is not
fine. I recommend you study the issue in more depth.
It’s not just me who disagrees with you:<br class="">
<br class="">
<a
href="https://www.schneier.com/blog/archives/2016/08/nist_is_no_long.html"
class="" moz-do-not-send="true">https://www.schneier.com/blog/archives/2016/08/nist_is_no_long.html</a><br
class="">
</blockquote>
<br class="">
Mel,<br class="">
<br class="">
That Schneier article is from 2016. The 3/2020 update
to the NIST<br class="">
recommendation (four years later and the currently
active one) still<br class="">
allows the use of SMS specifically and the PSTN in
general as an out<br class="">
of band authenticator in part of a two-factor
authentication scheme.<br class="">
The guidance includes a note explaining the social
engineering threat<br class="">
to SMS authenticators: "An out of band secret sent via
SMS is received<br class="">
by an attacker who has convinced the mobile operator
to redirect the<br class="">
victim’s mobile phone to the attacker."<br class="">
<br class="">
<a
href="https://pages.nist.gov/800-63-3/sp800-63b.html#63bSec8-Table1"
class="" moz-do-not-send="true">https://pages.nist.gov/800-63-3/sp800-63b.html#63bSec8-Table1</a><br
class="">
<br class="">
The bottom line is that an out-of-band authenticator
like SMS is meant<br class="">
to -enhance- the security of a memorized secret
authenticator, not<br class="">
replace it. If properly used, it does exactly that. If
misused, it of<br class="">
course weakens your security.<br class="">
<br class="">
Regards,<br class="">
Bill Herrin<br class="">
<br class="">
<br class="">
<br class="">
-- <br class="">
William Herrin<br class="">
<a class="moz-txt-link-abbreviated" href="mailto:bill@herrin.us">bill@herrin.us</a><br class="">
<a class="moz-txt-link-freetext" href="https://bill.herrin.us/">https://bill.herrin.us/</a><br class="">
</div>
</div>
</blockquote>
</div>
<br class="">
</div>
</div>
</blockquote>
</body>
</html>