I wonder how much of this is moot because the amount of actual SS7 is
low and getting lower every day. Aren't most "SMS" messages these days
just SIP MESSAGE transactions, or maybe they use XMPP? As I understand a
lot of the cell carriers are using SIPoLTE directly to your phone.
Mike
On 4/18/21 8:24 AM, Mel Beckman wrote:
Although NIST “softened” its stance on SMS for 2FA, it’s still a bad
choice for 2FA. There are many ways to attack SMS, not the least of
which is social engineering of the security-unconscious cellular
carriers. The bottom line is, why use an insecure form of
communication for 2FA at all? Since very good hardware-token-quality
OTP apps are freely available, why be so lazy as to implement 2FA
using radically insecure SMS?
Your argument that 2FA is only meant to “enhance” the security of a
memorized password is just wrong. 2FA is meant as a /bulwark /against
passwords that very often are disclosed by data breaches, through no
fault of the password owner. 2FA enhances nothing. It guards against
the abject security failures of others.
Consider this sage advice from 2020, long after NIST caved to industry
pressure on its recommendations.
https://blog.sucuri.net/2020/01/why-2fa-sms-is-a-bad-idea.html
<https://blog.sucuri.net/2020/01/why-2fa-sms-is-a-bad-idea.html>
-mel
On Apr 18, 2021, at 8:02 AM, William Herrin <b...@herrin.us
<mailto:b...@herrin.us>> wrote:
On Sun, Apr 18, 2021 at 7:32 AM Mel Beckman <m...@beckman.org
<mailto:m...@beckman.org>> wrote:
SMS for 2FA is not fine. I recommend you study the issue in more
depth. It’s not just me who disagrees with you:
https://www.schneier.com/blog/archives/2016/08/nist_is_no_long.html
<https://www.schneier.com/blog/archives/2016/08/nist_is_no_long.html>
Mel,
That Schneier article is from 2016. The 3/2020 update to the NIST
recommendation (four years later and the currently active one) still
allows the use of SMS specifically and the PSTN in general as an out
of band authenticator in part of a two-factor authentication scheme.
The guidance includes a note explaining the social engineering threat
to SMS authenticators: "An out of band secret sent via SMS is received
by an attacker who has convinced the mobile operator to redirect the
victim’s mobile phone to the attacker."
https://pages.nist.gov/800-63-3/sp800-63b.html#63bSec8-Table1
<https://pages.nist.gov/800-63-3/sp800-63b.html#63bSec8-Table1>
The bottom line is that an out-of-band authenticator like SMS is meant
to -enhance- the security of a memorized secret authenticator, not
replace it. If properly used, it does exactly that. If misused, it of
course weakens your security.
Regards,
Bill Herrin
--
William Herrin
b...@herrin.us
https://bill.herrin.us/
