SMS 2FA
Takedown
by Jacky Alcine
A primer into authentication schemes, known vulnerabilities of said schemes and methods to improve authentication (and authorization!) for end-users.
Hey. I'm Jacky
I'm a software engineer at Lyft, formerly at Clef, Shutterstock and a few other places.
I enjoy video games, books and teaching my people what I've learned. I talk more about myself on my site at jacky.wtf.
Me acting a fool in front of the building where both the Crime Bill and Net Neutrality Act were passed.
Personal Goals
- Decolonization of computer science
- Establishment of generational wealth
- Liberation for all oppressed people
- Proper recognition of all Latinx countries
Story time!
A Series of Social Engineering Events
Spoofed as account holder
Move SIM data to new IMEI
Reset social media credentials
pwnd city
Spoofing IRL
Spoofing, or the act of impersonating as another person for malice is a common practice for taking over accounts digitally or physically.
It's the equivalent of copying your house door key - both of y'all got access now.
With the Keys...
...Come the Door
With control of the recovery mechanism sites might require one to use to recover your account in the event you've forgotten your password (or in conjunction to signing in), everything is possible.
This can get ugly.
Your Accounts At This Point
End Result
What Went Wrong?
- Potential lack of use of pre-shared pin (PSK) with telecom
- Weak passwords used on T0 accounts
- Shared passwords used on T0 and other accounts
- all of the above
A Tier 0 (T0) account would be an account that, if compromised, can be used to take down other accounts as well. Protect your email.
Enable Your Telecom PSK
(When You Leave)
Pardon my Jargon
2FA/MFA
- 2FA === MFA
- Alternative form of authentication
- *FA = * Factor Authentication
MFAaaS(?)
SMS is easy to use.
You probably already use it for messaging with your users.
But NIST is like "NAH"
"If the out of band verification is to be made using an SMS message on a public mobile telephone network, the verifier SHALL verify that the pre-registered telephone number being used is actually associated with a mobile network and not with a VoIP (or other software-based) service. It then sends the SMS message to the pre-registered telephone number. Changing the pre-registered telephone number SHALL NOT be possible without two-factor authentication at the time of the change. OOB [Out of band verification] using SMS is deprecated, and will no longer be allowed in future releases of this guidance."
Secure Tokens
A hardware device that can emulate a keyboard that generates codes and keys usable for authentication and authorization purposes.
Imagine if your house key changed every second, couldn't be changed and only worked at a particular time with the lock for your home.
That's a small ability of hardware tokens.
I'm a Developer
Invest in adding 2FA support for your product/project.
I'm a Designer
Invest in communicating how users can transition to a MFA setup.
Darrell Jones of Clef wrote about getting teams on board with 2FA as well as when the best time to integrate 2FA is (hint: NOW)
I'm a User
Contact your service's support and determine + add pressure for 2FA support.
I Speak as a Developer
That's because security, in the realm of UX, should be seamless and invisible.
How to Implement?
Easiest Way?
A service named Instant2FA by Clef that allows you to make use of TOTP/HOTP approaches with other services and "upgrade" to secure tokens.
Or...
How Does OTP Work?
HOTP
TOTP
OATH (not OAUTH)
TOTP
More popular and resilient implementation of OTP.
HOTP
Commonly used in secure token devices like the RSA device.
