Many of us use Two Factor Authentication (2FA) mechanisms to login and provide our identity to important IT systems such as the company’s remote access or VPN, or our own personal bank accounts.
2FA relies on the notion that to establish your identity you need to provide proof of the possession of something unique to you, typically a physical token, and knowledge of something only you should know, i.e. a password or pass-phrase.
The oauth style of One Time Password authenticators utilises this strategy by embedding a unique key or “seed value” within a cryptographic engine, which when combined in some way with a pin number or pass-phrase, generates a unique one time password or OTP. The OTP value is replicated by the system using the same seed and the two values are compared by the identity provider to establish their validity.
SMS tokens however do things differently. In this case, a unique OTP is generated only by the back end identity provider and sent to a registered mobile phone number [to the user]. The user then combines their pass-phrase together with the SMS OTP code to prove that they have the token and know their pass-phrase.
Both of these systems rely on the physical token staying in the possession of the user. In either case the loss of the token needs to be reported as soon as possible to the security manager who will revoke the use of the token.
The weakness of the Phone and SMS as a token stems from the fact that it relies on the SIM card and its assigned telephone number. The phone number can easily be ported to another SIM and provider, and because the same information, i.e. the phone number, may be used as an alternative communication channel which may be used to reset passwords or re-register an alternative device; an attacker can take possession of the token without actually stealing the physical device.
This relatively simple attack was adequately demonstrated on air by the BBC Radio 4 program You and Yours earlier this month. Listen here: