nanog mailing list archives
Re: Malicious SS7 activity and why SMS should never by used for 2FA
From: William Herrin <bill () herrin us>
Date: Sun, 18 Apr 2021 08:02:26 -0700
On Sun, Apr 18, 2021 at 7:32 AM Mel Beckman <mel () beckman org> wrote:
SMS for 2FA is not fine. I recommend you study the issue in more depth. It’s not just me who disagrees with you: https://www.schneier.com/blog/archives/2016/08/nist_is_no_long.html
Mel, That Schneier article is from 2016. The 3/2020 update to the NIST recommendation (four years later and the currently active one) still allows the use of SMS specifically and the PSTN in general as an out of band authenticator in part of a two-factor authentication scheme. The guidance includes a note explaining the social engineering threat to SMS authenticators: "An out of band secret sent via SMS is received by an attacker who has convinced the mobile operator to redirect the victim’s mobile phone to the attacker." https://pages.nist.gov/800-63-3/sp800-63b.html#63bSec8-Table1 The bottom line is that an out-of-band authenticator like SMS is meant to -enhance- the security of a memorized secret authenticator, not replace it. If properly used, it does exactly that. If misused, it of course weakens your security. Regards, Bill Herrin -- William Herrin bill () herrin us https://bill.herrin.us/
Current thread:
- Re: Malicious SS7 activity and why SMS should never by used for 2FA, (continued)
- Re: Malicious SS7 activity and why SMS should never by used for 2FA Mark Tinka (Apr 18)
- Re: Malicious SS7 activity and why SMS should never by used for 2FA Eric Kuhnke (Apr 19)
- Re: Malicious SS7 activity and why SMS should never by used for 2FA Mark Tinka (Apr 19)
- Re: Malicious SS7 activity and why SMS should never by used for 2FA Nathaniel Ferguson (Apr 19)
- Re: Malicious SS7 activity and why SMS should never by used for 2FA Randy Bush (Apr 19)
- Re: Malicious SS7 activity and why SMS should never by used for 2FA bzs (Apr 19)
- Re: Malicious SS7 activity and why SMS should never by used for 2FA Mark Tinka (Apr 19)
- Re: Malicious SS7 activity and why SMS should never by used for 2FA bzs (Apr 20)
- Re: Malicious SS7 activity and why SMS should never by used for 2FA Mel Beckman (Apr 18)
- Re: Malicious SS7 activity and why SMS should never by used for 2FA William Herrin (Apr 18)
- Re: Malicious SS7 activity and why SMS should never by used for 2FA Mel Beckman (Apr 18)
- Re: Malicious SS7 activity and why SMS should never by used for 2FA Mel Beckman (Apr 18)
- Re: Malicious SS7 activity and why SMS should never by used for 2FA William Herrin (Apr 18)
- Re: Malicious SS7 activity and why SMS should never by used for 2FA Mel Beckman (Apr 18)