SMS Tokens: Researchers demonstrate another reason not to use them.
In a previous article I threw some questions and doubts at the practice of using SMS tokens for two factor, or two step authentication. My concerns then were over the safety and integrity of the management and deployment of the mobile phone SIM card and its associated telephone number.
Based on our findings, we conclude that SMS-based 2FA should be considered unsafe.
Now it seems there are other risks being uncovered which make the use of SMS One Time Passcodes very dangerous. Some researchers from the VU University Amsterdam, have demonstrated the use of a MIB [Man In The Browser] attack which can under specific use cases completely bypass the use of the SMS token and the phone.
The exploit hinges on the increasingly common capability of the latest versions of PC operating systems and phones to provide a notion of Anywhere Computing. This is a feature which should allow a user to start a task on one device and seamlessly switch devices and complete that task on the second device. This integration/synchronisation between devices fundamentally breaks the 2FA paradigm of a second “thing”.
You can read the researcher’s paper How Anywhere Computing Just Killed Your Phone-Based Two-Factor Authentication here. Watch further explanation and a demo of the bandroid vulnerability here. The full research paper How Anywhere Computing Just Killed Your Phone-Based Two-Factor Authentication Radhesh Krishnan Konoth†, Victor van der Veen†, and Herbert Bos
Your Mobile as a Token
Using mobiles securely as the second factor in a 2FA solution is possible however. An OTP generator, or OATH compliant token in the form of an app makes the process easy and independent of any SMS reception. Gemalto’s MobilePASS is our preferred token when it comes to 2FA implemented on their Safenet Authentication Service [SAS] platform. SAS scales to hundreds of thousands of users and full automates the provisioning of users and their tokens. This helps to drive cost out of the provisioning and support process to make this solution orders of magnitude cheaper to own and operate than any other in the market.