dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
1130
HELLFIRE
MVM
join:2009-11-25

8 recommendations

HELLFIRE

MVM

It's Time to Hang Up on Phone Transports for Authentication

»techcommunity.microsoft. ··· /1751752
quote:
Today, I want to do what I can to convince you that it’s time to start your move away from the SMS and voice Multi-Factor Authentication (MFA) mechanisms. These mechanisms are based on publicly switched telephone networks (PSTN), and I believe they’re the least secure of the MFA methods available today. That gap will only widen as MFA adoption increases attackers’ interest in breaking these methods and purpose-built authenticators extend their security and usability advantages. Plan your move to passwordless strong auth now – the authenticator app provides an immediate and evolving option.

It bears repeating, however, that MFA is essential – we are discussing which MFA method to use, not whether to use MFA. Quoting an earlier blog, “Multi-factor Authentication (MFA) is the least you can do if you are at all serious about protecting your accounts. Use of anything beyond the password significantly increases the costs for attackers, which is why the rate of compromise of accounts using any type of MFA is less than 0.1% of the general population.”

The Usual Suspects
It’s worth noting that every mechanism to exploit a credential can be used on PSTN – OTP. Phish? Check. Social? Check. Account takeover? Check. Device theft? Check. Your PSTN account has all the vulnerabilities of every other authenticator and a host of other issues specific to PSTN.
Original EMP from source article. Makes a plug at the end for MS Authenticator, but still an interesting read. Sharing out of interest on the matter.

Regards
InternetJeff
I'm your huckleberry.
join:2001-09-25
.

4 recommendations

InternetJeff

Member

All very interesting, but ...
quote:
"Use of anything beyond the password significantly increases the costs for attackers, which is why the rate of compromise of accounts using any type of MFA is less than 0.1% of the general population.”
That only applies to weak passwords, which are common. Passwords are fine, as long as they are selected properly. Poor passwords are the fault of users.

And for the record, I do not and never have been a proponent of SMS authentication. I won't do business with anyone who requires it, and for those that have where I still do business I've been able to get them to waive it or have an exception placed on my accounts disabling it. MFA over SMS is not secure, and a security vulnerability. I won't have it on any of my accounts.
tlbepson
Premium Member
join:2002-02-09
dc metro

8 recommendations

tlbepson to HELLFIRE

Premium Member

to HELLFIRE
What a B I G surprise that the article is from Microsoft and...

wait for it...

Pushes a Microsoft product under the guise of security...





What is one supposed to do when one does not have a cell phone?



ashrc4
Premium Member
join:2009-02-06
australia

ashrc4 to InternetJeff

Premium Member

to InternetJeff
What no middle ground in the consideration....RC4 is trivial to break yet still implimentented for lower risk and time consuming deterent for crypto. Why not regulate/stipulate MFA usage to categories etc..an all in eggs basket just improves the chances of the best we have, being the next victim or escalation of pawning higher in the Os.
ashrc4

1 edit

1 recommendation

ashrc4 to HELLFIRE

Premium Member

to HELLFIRE
Does the Microsoft key app have the same potential as the great RSA key internal hack that blighted a lot of its users....more in favour of capable companies having their own separate app for such purposes IMHO.
Edit added link: »www.schneier.com/blog/ar ··· _in.html

camper
just visiting this planet
Premium Member
join:2010-03-21
Bethel, CT

5 recommendations

camper to InternetJeff

Premium Member

to InternetJeff
said by InternetJeff:

Passwords are fine, as long as they are selected properly.

 

... and properly protected.


Anav
Sarcastic Llama? Naw, Just Acerbic
Premium Member
join:2001-07-16
Dartmouth, NS

Anav to HELLFIRE

Premium Member

to HELLFIRE
Technology sucks, now instead of thief only cutting off your thumb to gain access to ones phone, they will take out an eyeball or just decapitate the head.........
Get a life people....... If you have something worth taking, then you probably have the $$ to protect yourselves...

mackey
Premium Member
join:2007-08-20

8 recommendations

mackey to tlbepson

Premium Member

to tlbepson
said by tlbepson:

What is one supposed to do when one does not have a cell phone?

Hardware token such as YubiKey or a PC-capable authenticator app such as Authy.

Astyanax
Premium Member
join:2002-11-14
Melbourne, FL
·AT&T FTTP

1 recommendation

Astyanax to HELLFIRE

Premium Member

to HELLFIRE
As usual, current popular online security measure X is absurd and new far more PITA measure Y should be implemented immediately "if you are at all serious about protecting your accounts" because a whole 0.1% of accounts have been compromised using the old way. Sound the alarm! Cry havoc and let out the dogs of FUD!

The security industry wants to make sure the user is always considered stupid and never wins.

mackey
Premium Member
join:2007-08-20

6 recommendations

mackey

Premium Member

said by Astyanax:

As usual, current popular online security measure X is absurd and new far more PITA measure Y should be implemented immediately "if you are at all serious about protecting your accounts" because a whole 0.1% of accounts have been compromised using the old way. Sound the alarm! Cry havoc and let out the dogs of FUD!

The security industry wants to make sure the user is always considered stupid and never wins.

Uh, you do realize app-based authenticators such as Authy are no more of a PITA to use than SMS and in fact are actually easier to use while being much, much more secure, right?
DJStarfox
join:2000-07-05
Orlando, FL

5 recommendations

DJStarfox to HELLFIRE

Member

to HELLFIRE
Thankfully, there are a lot of other TOTP options besides getting in bed with MS.

Demonfang
join:2011-04-21
Spring Mills, PA

1 recommendation

Demonfang to HELLFIRE

Member

to HELLFIRE
I moved away from Phone based MFA earlier this year, wherever possible. Phone/SMS is NOT secure since sim jacking isn't exactly unheard of anymore. I do still have a couple of things that use it sadly, and will probably cut them off next year, all of them being banks or other financial institutions.
tlbepson
Premium Member
join:2002-02-09
dc metro

3 edits

4 recommendations

tlbepson to mackey

Premium Member

to mackey
mackey:
>>Hardware token such as YubiKey or a PC-capable authenticator app such as Authy.

Thank you for the info...it's more than likely I will stick with getting an email for the infrequent authentication actions I have needed...



Since I know squat about this, I went looking at wikipedia and found the following--in part:

"In February 2015, Twilio acquired Authy, a Y Combinator-backed startup that offers two-factor authentication services to end users, developers and enterprises.

In September 2016, Twilio acquired Tikal Technologies, the development team behind the Kurento WebRTC open source project, for $8.5 million.

In February 2017, Twilio acquired Beepsend, a Swedish-based SMS messaging provider, for an undisclosed amount

In September 2018, Twilio announced they were acquiring Ytica, a Prague, Czech Republic-based speech analytics firm, for an undisclosed amount.

In October 2018, Twilio announced they were acquiring SendGrid, a Denver, Colorado-based customer communication platform for transactional and marketing email, for $2 billion.

In November 2018, Twilio reported acquiring Core Network Dynamics GmbH, a Berlin, Germany-based virtual EPC (Evolved Packet Core) specialist company.

In July 2020, Twilio announced they had acquired Electric Imp, an Internet of Things platform company, for an undisclosed amount.

In October 2020, Twilio acquired Segment, for $3.2 Billion."



Along with this:

"Twilio uses Amazon Web Services to host telephony infrastructure and provide connectivity between HTTP and the public switched telephone network (PSTN) through its APIs."


[Source: »en.wikipedia.org/wiki/Twilio ]


Frodo
join:2006-05-05

1 recommendation

Frodo to InternetJeff

Member

to InternetJeff
said by [user= :

]
MFA over SMS is not secure

OK, but I have a question. Isn't MFA over SMS more secure than no MFA at all? It seems to me that the primary password is off the table, because the primary password needs to be entered to trigger the secondary authentication. I'm not asking the question hypothetically, because I'm thinking that in a 6 figure account with a strong password, wouldn't it make sense to add a secondary verification. How does password+ 2FA become less than just password? Because, if it's more, than I might just add it.
I have a different account, Schwab, and they already require 2FA with 4 choices, phone call to the home or cell, or SMS to the home or cell. (Yeah, the home can receive SMS due to an app on the cell).
So, I'm interested. Does the addition of an SMS requirement lower the security, since it seems the password is still required?

PS: Funny thing about Schwab - I'm in on a 6 digit pin on a tablet. But from a computer, password plus SMS or phonecall.

ashrc4
Premium Member
join:2009-02-06
australia

ashrc4

Premium Member

Thing about SMS is you could always add more personal in the handshake. Phone related and time sensitive
ashrc4

ashrc4

Premium Member

And why stop there sms apps that include Samsung or ms key gens

Astyanax
Premium Member
join:2002-11-14
Melbourne, FL
·AT&T FTTP

3 recommendations

Astyanax to mackey

Premium Member

to mackey
said by mackey:

Uh, you do realize app-based authenticators such as Authy are no more of a PITA to use than SMS and in fact are actually easier to use while being much, much more secure, right?

It is indeed a PITA because now I have to download and install yet another "app" (right there it meets the "PITA" threshold), hit the books and learn from scratch how this thing works, and then worry about when in the future how this thing too will inevitably itself be compromised somehow. I'll have supposedly have had all of my security tied into this thing because it's soo much more secure than SMS.

If I were a hacker and this thing caught on in popularity (I never heard of it until now), I'd focus all my skills in cracking this thing since MS wants you to trust all the keys to your kingdom with it.

No thanks.

DarkLogix
Texan and Proud
Premium Member
join:2008-10-23
Baytown, TX

4 recommendations

DarkLogix to Frodo

Premium Member

to Frodo
said by Frodo:

OK, but I have a question. Isn't MFA over SMS more secure than no MFA at all?

No.

mackey
Premium Member
join:2007-08-20

5 recommendations

mackey to Frodo

Premium Member

to Frodo
said by Frodo:

Isn't MFA over SMS more secure than no MFA at all?

Yes and no. In theory it is as it's another hoop someone needs to jump through to compromise an account, however in practice it is a false sense of security as that hoop isn't difficult to bypass. Plus, most implementations are completely broken because the "forgot password?" link then uses this "2nd" factor as the only factor for approving a password reset. If that wasn't bad enough, some companies also use the number you provide to spam you or sell it to advertisers who do.

dennismurphy
Put me on hold? I'll put YOU on hold
Premium Member
join:2002-11-19
Parsippany, NJ

4 recommendations

dennismurphy to Astyanax

Premium Member

to Astyanax
said by Astyanax:

said by mackey:

Uh, you do realize app-based authenticators such as Authy are no more of a PITA to use than SMS and in fact are actually easier to use while being much, much more secure, right?

It is indeed a PITA because now I have to download and install yet another "app" (right there it meets the "PITA" threshold), hit the books and learn from scratch how this thing works, and then worry about when in the future how this thing too will inevitably itself be compromised somehow. I'll have supposedly have had all of my security tied into this thing because it's soo much more secure than SMS.

If I were a hacker and this thing caught on in popularity (I never heard of it until now), I'd focus all my skills in cracking this thing since MS wants you to trust all the keys to your kingdom with it.

No thanks.

TOTP is a widely available standard. You don't need to use the MS Authenticator.

In fact I wrote my own TOTP app for my Mac. Works great.

I've also got my tokens loaded in 1Password. Most important piece of software on my devices, bar none. Tracks my TOTP tokens and lets me use a random, long 24+ character password unique to every login.

At the end of the day, I have to trust *something*. Whether it's 1Password, Keychain, my brain, a piece of paper, my safe deposit box, whatever ... For better or worse, I chose 1Password. So far, so good.

Well Bonded
join:2015-10-17
Naples, FL

5 recommendations

Well Bonded to HELLFIRE

Member

to HELLFIRE
Considering the technical inaccuratenes's in that article and some of the provided links, I would take it with a grain of salt.

Snowy
Lock him up!!!
Premium Member
join:2003-04-05
Kailua, HI

1 recommendation

Snowy to mackey

Premium Member

to mackey
said by mackey:

said by Frodo:

Isn't MFA over SMS more secure than no MFA at all?

In theory it is as it's another hoop someone needs to jump through to compromise an account, however in practice it is a false sense of security as that hoop isn't difficult to bypass.

I disagree.
If it's so easy to beat, beat any of my numerous accounts that have SMS based protection.

Most people that claim SMS abuse is easy to accomplish are coming from anecdotal experience rather than actual experience.

mackey
Premium Member
join:2007-08-20

mackey

Premium Member

said by Snowy:

said by mackey:

said by Frodo:

Isn't MFA over SMS more secure than no MFA at all?

In theory it is as it's another hoop someone needs to jump through to compromise an account, however in practice it is a false sense of security as that hoop isn't difficult to bypass.

I disagree.
If it's so easy to beat, beat any of my numerous accounts that have SMS based protection.

Most people that claim SMS abuse is easy to accomplish are coming from anecdotal experience rather than actual experience.

If pointing to one of the many stories where someone got pwned after their SMS was compromised is "anecdotal" then me compromising your SMS is also anecdotal.

Snowy
Lock him up!!!
Premium Member
join:2003-04-05
Kailua, HI

1 recommendation

Snowy

Premium Member

said by mackey:

...then me compromising your SMS is also anecdotal.

Let's start with something that we agree upon.
anecdotal
adj.
Based on casual observations or indications rather than rigorous or scientific analysis.

Can we agree on that definition of "anecdotal"?

mackey
Premium Member
join:2007-08-20

mackey

Premium Member

said by Snowy:

Can we agree on that definition of "anecdotal"?

If that is your definition of anecdotal then explain to me how someone getting pwned via SIM-jacking or porting meets that definition, and why is it only not anecdotal when it happens to you but not when it happens to someone else.

Snowy
Lock him up!!!
Premium Member
join:2003-04-05
Kailua, HI

1 recommendation

Snowy

Premium Member

said by mackey:

said by Snowy:

Can we agree on that definition of "anecdotal"?

If that is your definition of anecdotal...

Actually it's more like Webster's definition than mine.
Again, are we able or unable to agree on that definition?

Astyanax
Premium Member
join:2002-11-14
Melbourne, FL
·AT&T FTTP

1 recommendation

Astyanax

Premium Member

From the article:
quote:
the rate of compromise of accounts using any type of MFA is less than 0.1% of the general population

This quote is all that should matter from the article and should pretty much end any further discussion of the issue.

I sleep perfectly fine with my SMS MFA and so does most of the world (except some of the posters in this thread apparently). Some are trying to make a mountain out of a molehill here.

Snowy
Lock him up!!!
Premium Member
join:2003-04-05
Kailua, HI

5 recommendations

Snowy

Premium Member

said by Astyanax:

From the article:

quote:
the rate of compromise of accounts using any type of MFA is less than 0.1% of the general population

I agree with your conclusion.
About the statistic quoted above -
Here's where Microsoft got the 0.1% statistic
»www.zdnet.com/article/mi ··· ication/
quote:
Microsoft has been telling companies and users alike to enable an MFA solution since last year, claiming that using an MFA solution -- whatever that may be, hardware key, SMS, etc

My bottom line is that SMS based 2FA is more secure than just a singular password authentication & is suitable to me for its intended purpose.
ALeeJones
join:2020-03-07
Richmond, IN

3 recommendations

ALeeJones to mackey

Member

to mackey
2FA... not a fan

DarkLogix
Texan and Proud
Premium Member
join:2008-10-23
Baytown, TX

3 recommendations

DarkLogix to Snowy

Premium Member

to Snowy
said by Snowy:

My bottom line is that SMS based 2FA is more secure than just a singular password authentication & is suitable to me for its intended purpose.

That's just the fallacy the pro-SMS peeps like the NSA/CIA/and FBI want you to think.