nanog mailing list archives

Re: Malicious SS7 activity and why SMS should never by used for 2FA

From: Mel Beckman <mel () beckman org>
Date: Sun, 18 Apr 2021 15:24:45 +0000

Although NIST “softened” its stance on SMS for 2FA, it’s still a bad choice for 2FA. There are many ways to attack SMS,
not the least of which is social engineering of the security-unconscious cellular carriers. The bottom line is, why use
an insecure form of communication for 2FA at all? Since very good hardware-token-quality OTP apps are freely available,
why be so lazy as to implement 2FA using radically insecure SMS?

Your argument that 2FA is only meant to “enhance” the security of a memorized password is just wrong. 2FA is meant as a
bulwark against passwords that very often are disclosed by data breaches, through no fault of the password owner. 2FA
enhances nothing. It guards against the abject security failures of others.

Consider this sage advice from 2020, long after NIST caved to industry pressure on its recommendations.

https://blog.sucuri.net/2020/01/why-2fa-sms-is-a-bad-idea.html

-mel

On Apr 18, 2021, at 8:02 AM, William Herrin <bill () herrin us<mailto:bill () herrin us>> wrote:

On Sun, Apr 18, 2021 at 7:32 AM Mel Beckman <mel () beckman org<mailto:mel () beckman org>> wrote:
SMS for 2FA is not fine. I recommend you study the issue in more depth. It’s not just me who disagrees with you:

https://www.schneier.com/blog/archives/2016/08/nist_is_no_long.html

Mel,

That Schneier article is from 2016. The 3/2020 update to the NIST
recommendation (four years later and the currently active one) still
allows the use of SMS specifically and the PSTN in general as an out
of band authenticator in part of a two-factor authentication scheme.
The guidance includes a note explaining the social engineering threat
to SMS authenticators: "An out of band secret sent via SMS is received
by an attacker who has convinced the mobile operator to redirect the
victim’s mobile phone to the attacker."

https://pages.nist.gov/800-63-3/sp800-63b.html#63bSec8-Table1

The bottom line is that an out-of-band authenticator like SMS is meant
to -enhance- the security of a memorized secret authenticator, not
replace it. If properly used, it does exactly that. If misused, it of
course weakens your security.

Regards,
Bill Herrin

--
William Herrin
bill () herrin us
https://bill.herrin.us/

Current thread:

Re: Malicious SS7 activity and why SMS should never by used for 2FA, (continued)
- - - Re: Malicious SS7 activity and why SMS should never by used for 2FA Eric Kuhnke (Apr 19)
    - Re: Malicious SS7 activity and why SMS should never by used for 2FA Mark Tinka (Apr 19)
    - Re: Malicious SS7 activity and why SMS should never by used for 2FA Nathaniel Ferguson (Apr 19)
    - Re: Malicious SS7 activity and why SMS should never by used for 2FA Randy Bush (Apr 19)
    - Re: Malicious SS7 activity and why SMS should never by used for 2FA bzs (Apr 19)
    - Re: Malicious SS7 activity and why SMS should never by used for 2FA Mark Tinka (Apr 19)
    - Re: Malicious SS7 activity and why SMS should never by used for 2FA bzs (Apr 20)
- Re: Malicious SS7 activity and why SMS should never by used for 2FA William Herrin (Apr 18)
  - Re: Malicious SS7 activity and why SMS should never by used for 2FA Mel Beckman (Apr 18)
    - Re: Malicious SS7 activity and why SMS should never by used for 2FA William Herrin (Apr 18)
    - Re: Malicious SS7 activity and why SMS should never by used for 2FA Mel Beckman (Apr 18)
    - Re: Malicious SS7 activity and why SMS should never by used for 2FA Mel Beckman (Apr 18)
    - Re: Malicious SS7 activity and why SMS should never by used for 2FA William Herrin (Apr 18)
    - Re: Malicious SS7 activity and why SMS should never by used for 2FA Mel Beckman (Apr 18)
    - Re: Malicious SS7 activity and why SMS should never by used for 2FA Michael Thomas (Apr 18)