Two-factor authentication challenged by SIM swap

We log in several times a day. Every time we open a door with a key, we authenticate ourselves to the building we enter, simply by proving possession of the key. During our trips, we use our passports to log in. When we make a payment by credit card or mobile money, we authenticate ourselves through possession of the card or telephone number and knowledge of the associated PIN code. This is known as two-factor authentication or strong authentication.

As our dependence on digital technology has grown and our need for data protection increased, the issue of authentication has become more important.

Nowadays, when a user wishes to access a resource in an information system, one of the first things to do is to carry out an identification and authentication process. Identification is an important step during which the user's identity is recorded, while authentication consists in verifying the identification data provided during the login attempt.

The password has been the most widespread authentication method in the world

For a long time, the password has been the most widespread authentication method in the world. Based on the protection of an alleged robust and secret information (the password), password authentication has spread to become the simplest and cheapest way to control access to our data. However, for many years now, pirates have been constantly testing passwords to make them obsolete and too vulnerable.

In order to obtain user passwords, hackers first targeted individuals. The disclosure of their passwords was then either the result of their negligence of security rules ("lending" their login and password to a friend, a colleague or their hierarchy), or an act of malevolence (cracking a weak password, Trojan, malware, phishing). In both cases, the responsibility of the user, owner of the usurped identity, was engaged.

Subsequently, online service provider databases (which store our passwords) were targeted. Thus, between 2014 and 2019, there were numerous data leaks: Yahoo (More than 3 billion users data and passwords stolen), Aadhaar (Over a billion data of Indian citizens exposed by this unique authentication service), Facebook (540 million user data and 22,000 passwords exposed online), Hotels Marriott (Over 500 million stolen customer data and passwords), Equifax(More than 143 million people affected)... These data leaks have enriched the hackers’ knowledge of passwords, and increased the risk of accounts to be compromise with this authentication method. Today, you only have to visit sites like haveibeenpwned.com to see how ID theft has become a common practice. To date, the site references more than 9 billion stolen identifiers from more than 424 sites, not including Yahoo data breach.

Because of these intrinsic weaknesses of passwords, many service providers have implemented two factors authentication, also known as strong authentication.

How does two-factors authentication work ?

Normally, two-factors or strong authentication is a process that increases the security of a user account. As soon as you try to log in to your account from an unknown device, once you have entered your ID, you will receive a one-time password (OTP) that must be enter within a specified time frame. This OTP is usually sent by SMS, although other methods also exist (sending by email, using a service or application dedicated to authentication such as Google Authenticator or OAuth, etc.)

The SIM card, a new target for hackers...

As strong authentication became more popular, hackers adapted their techniques. Nowadays, users are no longer targeted for their IDs and passwords but for their SIM card (phone number). Hackers’ goal now is to obtain a copy of their victim's SIM card, so that they can receive or sometimes send all of their victim's text messages. In August 2019, The CEO of twitter paid the price for this practice when his user account was hacked on this social network. Nowadays, the phone number is gradually replacing our identifiers and passwords so that it has become an essential part of user’s authentication. That’s why the protection of our SIM cards (on which rely most of our authentication systems) is a major challenge in cybersecurity. Thus, SIM card manufacturers as well as telecom operators are called upon to preserve the integrity and sustainability of the two-factor authentication system.

SIM card manufacturers, need to fix vulnerabilities of their current SIM cards and enhance the security of their embedded software. While operators need to better manage access to their networks. Undeniably, this involves setting up devices to filter text messages and block attacks against subscribers' SIM cards. Moreover, it is also important to prevent phone number theft by tightening controls when identifying and issuing SIM cards to subscribers. In practice, operators already prohibit themselves from issuing a duplicate SIM card without seeing the ID document of its owner. But here again, the SIM card should have already been correctly identified, and such operations should no longer be possible with copies of ID documents or by means of calls to the operators' call centres.

Should we stop two-factors authentication ?

If our digital security is now threatened by weaknesses of our SIM cards, therefore should we stop two-factors authentication? Certainly not! Although it can still be improved, two-factor authentication remains more secured than password authentication. The solution to avoid falling into the clutches of hackers could be the use of multi-factor authentication (MFA) based on our ID, our phone number and at least a third factor (such as our smartphone, our computer or our biometric fingerprints). While waiting for the widespread of Multi Factor Authentication (MFA), the alternate solution remains applications for two-factor authentication not relying at all on text messages or email and allowing to configure a PIN code or password protection to get access to it.