The Problem With SMS 2-Factor
I am a huge paranoid. Unreadable-password-level paranoid. Doing-the-three-tap-every-two-minutes paranoid (left pocket, right pocket, back pocket — in that specific order). It’s only natural for me to love Two Factor or Two Step Authentication.
2FA acts as an extra layer of protection for your accounts, by generating a random token which must be introduced even after you have successfully logged in to your account. This way, even if someone somehow manages to get hold of your precious password, they still won’t be able to gain access.
As we may or may not know, security and passwords are tied to three layers: What You Know, What You Have and What You Are.
These layers can be narrowed to the following:
What You Know: Your password.
What You Have: Your mobile phone.
What You Are: A part of your body, such as your finger or your iris.
2FA generally uses two of these elements to secure your account, but it’s one of these that really gets my goat (if I had a goat), and that is What You Have.
The Problem With What You Have
The What You Have concept uses the infamous SMS feature as one of its most common tools. This is the feature which appeared to be doomed 8 years ago when Blackberry appeared — and has made a great comeback in the form of automated messages connected to awesome APIs.
The problem with What You Have is that what you have can sometimes be even more vulnerable that What You Know.
To be honest, What You Have is probably good enough. Or at least it’s better that just using What You Know. But good enough doesn’t work for security-conscious people (such as yours truly) or those who handle sensitive information on a daily basis.
Someone who wanted access to her account would’ve had an 83.33% chance of bypassing her 2FA just by being near her at any given moment.
Let me give you a quick rundown of a few reasons why I have a problem with SMS-Based 2FA:
Phones Get Lost
My girlfriend has a cousin who once lost 10 phones in a year. Ten. Yep, that’s almost one phone per month. Someone who wanted access to her account would’ve had an 83.33% chance of bypassing her 2FA just by being near her at any given moment.
(Most) SMS Messages Are Visible in Plain View
Lock your phone. Then have someone send you a message right away. Do you see the basic flaw in that? The person standing next to you (or in possession of your phone) doesn’t even need your phone’s passcode to read the message, the code is revealed instantly by way of lock screen notifications.
You’re at The Mercy Of Your Carrier
SMS is faulty at best, and can be quite unreliable. (U.S. readers probably won’t understand this, but people in LatAm and non-first-world countries, I know you hear me.) The simple fact that websites who use SMS-Based 2FA need to have a “Didn’t get your code?” button is an appalling UX flaw.
I have found myself receiving five or six SMS messages in a row after not receiving the first one and going on a clicking rampage on that button. Which code is the right one now? :/
There Are Smarter Options
Google Authenticator. Authy. 1Password (my personal favorite). There are a dozen or more apps that help you manage 2FA in a more secure and efficient way. All of these apps use randomly-generated tokens that expire after a minute or so, and most of them offer additional benefits over SMS-Based 2FA.
No Push Notification
You don’t need everyone to see the code. You don’t even need to make it on-demand. Of course it’s more comfortable than unlocking your phone and opening an app, but so is placing the code to your bike’s lock and a plz don’t steal sign on it in case you forget the combination.
Protected By What You Are
Most authenticator apps have an extra layer of security built in. For example, 1Password requires you to either enter a password (What You Know) or use Apple’s TouchID (What You Are) biometric option to validate.
Of course Touch ID, biometrics and most consumer security options are not foolproof, all of them are vulnerable (hacking Touch ID requires just a piece of scotch tape or glue), but, in my opinion, it beats something you can lose by a long shot.
PS: Not Just SMS
I’m not being fair with the article’s title, because the real problem isn’t SMS. The real problem is the What You Have layer. Of course the What You Are layer still uses your phone, but the added element of security at least lets you be a teeny bit relaxed when you are freaking out because you lost your phone. What You Have includes wearables such as the Apple Watch, which can unlock your Mac just by being close enough (kill me).
The Best Of Both Worlds
However, Apple uses an interesting mix to validate access to your Apple ID account: Users receive a code on-demand (like in the SMS model) that triggers a push notification on the lock screen, but they need to unlock their phone to actually see the code. (Btw, I am mostly speaking about Apple because I am an iPhone user, and would love to get Android users’ opinions on the topic.)
Conclusion: Nobody’s Perfect
Of course we are still figuring out what the best way to protect our information is. Companies work day and night to secure your information making high-end encryption algorithms work with flows as simple as placing your finger, reading your iris and whatnot. I simply believe SMS is a quick fix rather than a solution, and it is irresponsible for companies (especially the ones storing payment information, damn it) to use it when there are simpler, more advanced technologies.
I understand SMS is way more universal than apps and smartphones, but remember — so was Internet Explorer a few years ago.
