We will text you a code...

We will text you a code...

The worst thing you can do is to secure your user logins with passwords. The second-worst thing you can do is to secure your user logins with text message MFA,... but SMS logins are volumes better than passwords alone.

There have been volumes written on how bad it is that most systems rely on passwords, and I won't go into that in depth other than to summarize:

  • Passwords get stolen all the time, sometimes even when the user has made adequate efforts to protect them.
  • Often "easy to remember" has also become "easy to guess," making the password ineffective at protecting the login.
  • A lot of people reuse passwords on multiple sites, unaware that a breach on any one of those could expose their password for all of those websites.
  • Some systems require changing the password every 60 or 90 days, and since the user often waits until they can't wait any longer, the new password is rushed, and not as secure as the original.
  • The old guidance that a complex password has "one uppercase letter, one lowercase letter, one number, and one symbol" actually makes it easier to brute-force guess a password. Even though NIST has updated their password complexity guidelines long ago, few systems have been updated with the new guidance.
  • Some share their passwords with others over unencrypted plaintext, and which get backed up to a remote server in the same unencrypted format.

Passwords continue to be popular because they're familiar, they're ubiquitous, and every browser and password vault these days knows exactly how to handle them.

Multi-Factor Authentication

Multi-factor authentication (MFA) means the user's identity is verified at least two different ways. Usually one authentication method is the password (which, again, is because everyone knows what to do with them), the second factor can be a lot of different things, including a hardware device, a passkey (a secret code that is never transmitted but used to generate evidence of knowing the secret), a security question, or a text message code.

Many websites have now implemented MFA, which is much better, in any form, than a password alone. But when it comes to text message one time passwords (OTPs), I love 'em, I hate 'em, and I have better ideas for them.

Reasons to love text message codes

Text message codes are sent directly to the user at a mobile phone number they have and may continue to have for the rest of their lives. Phone numbers outlive phones, so even if you upgrade your phone in a couple of years, that one website you only access every couple of years will still be able to verify your identity.

They're also easy. Usually the code is numeric, so there's no confusion about similar looking characters, e.g. whether the one time code is a 0 or an O, an l (lowercase 'L'), I (uppercase 'I') or a | (pipe symbol), ',' or a '.'.

They're short-lived. Usually the code is only valid for a few minutes, so an attacker would have to be at the right place at the right time to intercept and use that code. An hour from now, it won't be valid anymore.

Reasons to hate text message codes

I'm sure you've seen apps that can read those codes. Usually they're intended to be helpful, grabbing that OTP from the text message and filling it in for you. Even WhatsApp setup helpfully reads those codes. Some phones even offer an option that will let you tap to copy the code right from a notification so you can paste it.

So it's not that far of a stretch that a malicious app could do the same thing, read the code and send it off to someone else so they can login as you.

The text messages can even be intercepted before they arrive at the phone, which is why Google has advised Android users to disable the old unencrypted 2G mode.

A better solution

There are many MFA solutions that are based on an app in which no code is sent over the airways at all. Based on the device's clock and a secret code, it knows what the OTP should be right now, and once a minute it changes. Since these devices are designed to never ever share their secrets, those secrets do not transfer to another device, that makes these solutions superior to any transmitted OTP. But also, it means that secret will not be available on the user's next smartphone.

A better solution is that instead of transmitting a numeric code, the website transmits a one time use link. The link can then verify the user with some other factor, looking for a familiar device ID, or verifying the user's identity using other means. This has all the advantages of a text message OTP while significantly reducing the risk that the intercepted link would provide access.

Disclaimer

As with any advice on providing better protection, someone determined enough will find a way in. The least most of us should be trying for is what I call a "bike lock mentality."

Bike Lock Mentality

Imagine you're at a bicycle-friendly university like CU Boulder or UC Davis, and outside a big building is a parking lot packed with bicycles. If you're looking to steal a bicycle (either for convenient transportation or to sell the bike for cash), there will be a mix of security situations. Some bikes will have strong locks on them, and while you could technically invest in "bolt cutter" equipment to cut off that lock, there are plenty of other bicycles that have no protection on them at all, or are poorly secured, such as locking a removable wheel to the frame.

The goal as the owner of the bicycle should be to make your bicycle less attractive so they'll move on to someone else.

The same mentality should be applied to your data. You don't need bank vault level security, just make it difficult enough for someone to get your data that an opportunistic attacker will move on to an easier target.


Susan Melchert

Organizational Change Management: Business Systems Analyst, Prosci Change Practitioner

5 个月

great explanation, Marc, this is exactly what many of us need to know. I will share it with my clients. I have been using DUO

回复
David Eyk

77% of software projects end over schedule, over budget, or never even completed. We can do better. I build your ?? Python/Django web apps to be ?? safer, ?? faster, more ???reliable, AND more ?? profitable.

5 个月

The main problems with any security-over-SMS scheme are the dangers of SIM swap and porting-out fraud, where the attacker gains control over the victim's phone number. ?? https://us.norton.com/blog/id-theft/what-is-phone-account-takeover-fraud What's your take on the growing trend of emailed magic login links?

回复
Ann Stewart Zachwieja

Cross-Functional Team Leadership | Senior Product Management | Marketing | Strategic Operations | Security Compliance | Business Process Automation

5 个月

Great article, Marc. We all know the pain of passwords, a necessary evil. I like your suggestions for making things secure while still being user-friendly. That's the only way some (many?) people will follow good practices.

回复
Shoieb Yunus

Product Strategy and GTM || F5 || Ex-NTT || Ex-Equinix

5 个月

Excellent work! In your next write/up you may want to think about educating us how the other options might be better solutions… how do MFA, OTP and internal clock and secret codes work together?

Clint Mitchell

Technology & Operations Leader ? Site Reliability Engineering Manager ? Cloud Operations Manager ? DevOps Manager ? Organizational & Agile Leader ? Mentor ? Global ? Operational Excellence

5 个月

Very insightful! I like how you break down the pros and cons of text message MFA in a clear, relatable way. You mentioned app-based solutions—what do you think the biggest hurdle is for wider adoption of those in everyday systems?

回复

要查看或添加评论,请登录

Marc J. Miller的更多文章

  • Thinking about passkeys? Read this first.

    Thinking about passkeys? Read this first.

    I believe in passkeys completely. Imagine the difference between walking into a gym and confirming membership by giving…

  • TikTok Ban: Why Your Privacy Matters More Than You Think

    TikTok Ban: Why Your Privacy Matters More Than You Think

    Amidst the ongoing debate about a potential TikTok ban, many users are asking: why should I care about my data privacy?…

    5 条评论
  • What You Should Know:

    What You Should Know:

    Multi-Factor Authentication 2025 This article includes many helpful links. None of these are referral links.

    3 条评论
  • Leadership Lessons Learned at Disneyland

    Leadership Lessons Learned at Disneyland

    Leaders Have Followers No, I'm not going to talk about what we've learned from watching Disney, though I did write…

    3 条评论
  • Access Control: RBAC or ABAC

    Access Control: RBAC or ABAC

    When considering permissions, there are several ways to think about how access to data and tools gets managed. The most…

    7 条评论
  • Complex passwords aren't good enough

    Complex passwords aren't good enough

    There was a wonderful "2024 State of Passwordless Identity Assurance Report" published by HYPR | The Identity Assurance…

    4 条评论
  • What the AT&T breach means

    What the AT&T breach means

    You might have heard already, but if you haven't, it was recently announced that potentially all text message and phone…

    5 条评论
  • The Product Manager Job Description

    The Product Manager Job Description

    I’ve seen some interesting articles recently claiming that jobs like Product Manager, Product Owner, and Scrum Master…

    2 条评论

社区洞察

其他会员也浏览了