Re: Malicious SS7 activity and why SMS should never by used for 2FA

[William Herrin <bill () herrin us>]

On Sun, Apr 18, 2021 at 7:32 AM Mel Beckman <mel () beckman org> wrote:
> SMS for 2FA is not fine. I recommend you study the issue in more depth. It’s not just me who disagrees with you:
>
> https://www.schneier.com/blog/archives/2016/08/nist_is_no_long.html

Mel,

That Schneier article is from 2016. The 3/2020 update to the NIST
recommendation (four years later and the currently active one) still
allows the use of SMS specifically and the PSTN in general as an out
of band authenticator in part of a two-factor authentication scheme.
The guidance includes a note explaining the social engineering threat
to SMS authenticators: "An out of band secret sent via SMS is received
by an attacker who has convinced the mobile operator to redirect the
victim’s mobile phone to the attacker."

https://pages.nist.gov/800-63-3/sp800-63b.html#63bSec8-Table1

The bottom line is that an out-of-band authenticator like SMS is meant
to -enhance- the security of a memorized secret authenticator, not
replace it. If properly used, it does exactly that. If misused, it of
course weakens your security.

Regards,
Bill Herrin



-- 
William Herrin
bill () herrin us
https://bill.herrin.us/