We will text you a code...
Marc J. Miller
Senior Product Manager | Product Strategy | Leadership Coach | Customer Research | Scrum | Technical | Business Requirements | Cybersecurity | Integrity | Transparency | Dedication | Value Metrics | Lean Agile
The worst thing you can do is to secure your user logins with passwords. The second-worst thing you can do is to secure your user logins with text message MFA,... but SMS logins are volumes better than passwords alone.
There have been volumes written on how bad it is that most systems rely on passwords, and I won't go into that in depth other than to summarize:
Passwords continue to be popular because they're familiar, they're ubiquitous, and every browser and password vault these days knows exactly how to handle them.
Multi-Factor Authentication
Multi-factor authentication (MFA) means the user's identity is verified at least two different ways. Usually one authentication method is the password (which, again, is because everyone knows what to do with them), the second factor can be a lot of different things, including a hardware device, a passkey (a secret code that is never transmitted but used to generate evidence of knowing the secret), a security question, or a text message code.
Many websites have now implemented MFA, which is much better, in any form, than a password alone. But when it comes to text message one time passwords (OTPs), I love 'em, I hate 'em, and I have better ideas for them.
Reasons to love text message codes
Text message codes are sent directly to the user at a mobile phone number they have and may continue to have for the rest of their lives. Phone numbers outlive phones, so even if you upgrade your phone in a couple of years, that one website you only access every couple of years will still be able to verify your identity.
They're also easy. Usually the code is numeric, so there's no confusion about similar looking characters, e.g. whether the one time code is a 0 or an O, an l (lowercase 'L'), I (uppercase 'I') or a | (pipe symbol), ',' or a '.'.
They're short-lived. Usually the code is only valid for a few minutes, so an attacker would have to be at the right place at the right time to intercept and use that code. An hour from now, it won't be valid anymore.
Reasons to hate text message codes
I'm sure you've seen apps that can read those codes. Usually they're intended to be helpful, grabbing that OTP from the text message and filling it in for you. Even WhatsApp setup helpfully reads those codes. Some phones even offer an option that will let you tap to copy the code right from a notification so you can paste it.
领英推荐
So it's not that far of a stretch that a malicious app could do the same thing, read the code and send it off to someone else so they can login as you.
The text messages can even be intercepted before they arrive at the phone, which is why Google has advised Android users to disable the old unencrypted 2G mode.
A better solution
There are many MFA solutions that are based on an app in which no code is sent over the airways at all. Based on the device's clock and a secret code, it knows what the OTP should be right now, and once a minute it changes. Since these devices are designed to never ever share their secrets, those secrets do not transfer to another device, that makes these solutions superior to any transmitted OTP. But also, it means that secret will not be available on the user's next smartphone.
A better solution is that instead of transmitting a numeric code, the website transmits a one time use link. The link can then verify the user with some other factor, looking for a familiar device ID, or verifying the user's identity using other means. This has all the advantages of a text message OTP while significantly reducing the risk that the intercepted link would provide access.
Disclaimer
As with any advice on providing better protection, someone determined enough will find a way in. The least most of us should be trying for is what I call a "bike lock mentality."
Bike Lock Mentality
Imagine you're at a bicycle-friendly university like CU Boulder or UC Davis, and outside a big building is a parking lot packed with bicycles. If you're looking to steal a bicycle (either for convenient transportation or to sell the bike for cash), there will be a mix of security situations. Some bikes will have strong locks on them, and while you could technically invest in "bolt cutter" equipment to cut off that lock, there are plenty of other bicycles that have no protection on them at all, or are poorly secured, such as locking a removable wheel to the frame.
The goal as the owner of the bicycle should be to make your bicycle less attractive so they'll move on to someone else.
The same mentality should be applied to your data. You don't need bank vault level security, just make it difficult enough for someone to get your data that an opportunistic attacker will move on to an easier target.
Organizational Change Management: Business Systems Analyst, Prosci Change Practitioner
5 个月great explanation, Marc, this is exactly what many of us need to know. I will share it with my clients. I have been using DUO
77% of software projects end over schedule, over budget, or never even completed. We can do better. I build your ?? Python/Django web apps to be ?? safer, ?? faster, more ???reliable, AND more ?? profitable.
5 个月The main problems with any security-over-SMS scheme are the dangers of SIM swap and porting-out fraud, where the attacker gains control over the victim's phone number. ?? https://us.norton.com/blog/id-theft/what-is-phone-account-takeover-fraud What's your take on the growing trend of emailed magic login links?
Cross-Functional Team Leadership | Senior Product Management | Marketing | Strategic Operations | Security Compliance | Business Process Automation
5 个月Great article, Marc. We all know the pain of passwords, a necessary evil. I like your suggestions for making things secure while still being user-friendly. That's the only way some (many?) people will follow good practices.
Product Strategy and GTM || F5 || Ex-NTT || Ex-Equinix
5 个月Excellent work! In your next write/up you may want to think about educating us how the other options might be better solutions… how do MFA, OTP and internal clock and secret codes work together?
Technology & Operations Leader ? Site Reliability Engineering Manager ? Cloud Operations Manager ? DevOps Manager ? Organizational & Agile Leader ? Mentor ? Global ? Operational Excellence
5 个月Very insightful! I like how you break down the pros and cons of text message MFA in a clear, relatable way. You mentioned app-based solutions—what do you think the biggest hurdle is for wider adoption of those in everyday systems?