New Carrier-Based Authentication System Seeks To Replace SMS 2FA
Two years ago, the National Institute of Standards and Technology (NIST) proposed the deprecation of SMS two-factor authentication (2FA) because it was getting too easy for attackers to steal authentication codes from victims. The U.S. carriers AT&T, Verizon, Sprint, and T-Mobile announced a new, supposedly more secure solution to replace SMS 2FA.
SMS 2FA Deprecation Long-Overdue
Two-factor authentication still isn’t as popular as it should be. A recent report said that only 10% of Gmail users enabled it despite the fact that those Gmail accounts could not only contain sensitive personal information, but they could also give access to virtually all of a user’s online accounts, too.
John Podesta, Hillary Clinton’s presidential campaign chairman, learned this the hard way, as did many other people who suffered attacks against their email accounts that could have been saved if they had enabled 2FA.
However, most online services hardly even offer 2FA on their sites, let alone mobile app authentication or authentication through a hardware security key. TwoFactorAuth.org has compiled a relatively comprehensive list of online services that offer 2FA security if you want to learn more.
Most of the sites that do offer 2FA as an option typically only allow authentication through a SMS code, and this is still true even after NIST announced the deprecation of SMS-based 2FA two years ago.
Threat Of SS7
There are multiple ways in which attackers could get your SMS 2FA code, including by calling the carriers and pretending to be you and wanting to port your number to their phone. Then, they would be able to request a SMS code that’s tied to whatever online account they’re trying to hack.
However, perhaps the easiest way to do it is through the Signaling System Seven (SS7), a system that connects calls and SMS messages from one carrier to another. Representative Ted Lieu showed two years ago how easy it was for someone to intercept his calls using this method. He then asked carriers to fix it as soon as possible. However, we haven’t heard much from the carriers about it work on that front in the time since.
Stay On the Cutting Edge: Get the Tom's Hardware Newsletter
Get Tom's Hardware's best news and in-depth reviews, straight to your inbox.
New Carrier Authentication Solution
The four major U.S. carriers joined together in the Mobile Authentication Taskforce to develop “a highly secure and trusted multi-factor authentication platform powered by the carrier networks” that could be used by both enterprises and consumers to secure their devices against hacking.
The GSM Association (GSMA) also seems to have been involved in this effort. Alex Sinclair, Chief Technology Officer at the GSMA, said the following in AT&T’s post:
As mobile becomes the remote control for day-to-day life, mobile identity is key to making things simpler and more secure for consumers. The GSMA has been working with operators around the world to bring a consistent and interoperable, secure identity service and this taskforce will strengthen that effort by enabling a simple user experience quickly and conveniently in the US market.
According to AT&T, this new solution will deliver a cryptographically-verified phone number and profile data for users authorized applications with their consent. On its own, this shouldn’t do much, as it would simply guarantee that a number is real. However, the security of the solution will also be backed by the IP address, SIM card attributes, phone number tenure, phone account type, and more.
Is It More Secure Than SMS 2FA?
This carrier-based mobile authentication solution will essentially check multiple phone and network attributes to see if the person with a phone number is who they say they are. However, at first glance it looks like most of that security-related metadata could be easily spoofed by potential attackers. After all, it’s trivial to spoof an IP address or a phone’s type. SIM card attributes may be harder to spoof, but it’s not exactly out of the hands of more sophisticated attackers.
The whole solution may the primary goal to replace SMS 2FA, but at the same time it looks like it’s designed for convenience. AT&T hasn’t released more details yet, but it doesn’t seem that this solution would require a code from the user.
We’ve reached out to AT&T to gain more insight into how it works on a more technical level and whether or not it’s designed to have built-in “lawful intercept” technology that would allow law enforcement agencies to disable the security guarantees when requested.
Ultimately, whatever the security guarantees of this new technology are, they will have to be proven in the real world. The carrier taskforce will begin testing the technology in the next few weeks, and consumers will have access to it by the end of the year.
-
Snipergod87 And what happens when someone walk's into your local Verizon store, claims to be you and uses social engineering to get a new SIM card issued in your name to their phone? Its not like that hasn't happened before.Reply -
Druidsmark Main reason I don't use sms is I have a pay as you go phone. This means I pay for every minute I talk on the phone as well as I pay for every text message I receive and send. So unless the mobile phone carriers here in canada want to start making it free for me to receive sms messages are will continue to avoid this service as much as possible. As this news article points out this is added layer of security is vulnerable to hacking as well so I see no reason to use a service that costs me money every time I use it.Reply
I use my phone primarily as door buzzer and spend less then $100 a year for the phone. -
bollwerk Note that this article is only about SMS 2FA. Other forms of 2FA are perhaps more secure? i.e. Google Authenticator, Duo, etc...Reply -
alextheblue 20753867 said:Main reason I don't use sms is I have a pay as you go phone. This means I pay for every minute I talk on the phone as well as I pay for every text message I receive and send. So unless the mobile phone carriers here in canada want to start making it free for me to receive sms messages are will continue to avoid this service as much as possible. As this news article points out this is added layer of security is vulnerable to hacking as well so I see no reason to use a service that costs me money every time I use it.
I use my phone primarily as door buzzer and spend less then $100 a year for the phone.
I use smoke signals, but some days the range is really limiting. I demand the carriers offer me free carrier pigeons for 2FA purposes.