nanog mailing list archives
Re: Malicious SS7 activity and why SMS should never by used for 2FA
From: Tom Beecher <beecher () beecher cc>
Date: Mon, 19 Apr 2021 08:43:59 -0400
As far as I know, authenticators on cell phone apps don’t require the Internet. For example, the Google Authenticator mobile app doesn't require any Internet or cellular connection
Lots of people still use feature phones that are not capable of running applications such as this. On Sun, Apr 18, 2021 at 9:05 AM Mel Beckman <mel () beckman org> wrote:
As far as I know, authenticators on cell phone apps don’t require the Internet. For example, the Google Authenticator mobile app doesn't require any Internet or cellular connection. The authenticated system generates a secret key - a unique 16 or 32 character alphanumeric code. This key is scanned by GA or can be entered manually and as a result, both the authenticated system and GA know the same secret key, and can compute the time-based 2nd factor OTP just as hardware tokens do. There are two algorithms: HOTP and TOTP. The main difference is in OTP expiration time: with HOTP, the OTP is valid until it hasn’t been used; TOTP times out after some specified interval - usually 30 or 60 seconds. For TOTP, the system time must be synced, otherwise the generated OTPs will be wrong. But you can get accurate enough clock time without the Internet, either manually using some radio source such as WWV, or by GPS or cellular system synchronization. -melOn Apr 18, 2021, at 5:46 AM, Mark Tinka <mark@tinka.africa> wrote: On 4/18/21 05:18, Mel Beckman wrote: No, every SMS 2FA should be prohibited by regulatory certifications.The telcos had years to secure SMS. They did nothing. The plethora of well-secured commercial 2FA authentication tokens, many of them free, should be a mandatory replacement for 2FA in every security governance regime, such as PCI, financial account access, government web portals, etc.While I agree that SMS is insecure at the moment, I think there stillneeds to be a mechanism that does not rely on the presence of an Internet connection. One may not be able to have access to the Internet for a number of reasons (traveling, coverage, outage, device, money, e.t.c.), and a fallback needs to be available to authenticate.I know some companies have been pushing for voice authentication fortheir services through a phone call, in lieu of SMS or DTMF-based PIN's.We need something that works at the lowest common denominator as well,because as available as the Internet is worldwide, it's not yet at a level that one would consider "basic access".Mark.
Current thread:
- Malicious SS7 activity and why SMS should never by used for 2FA Eric Kuhnke (Apr 17)
- Re: Malicious SS7 activity and why SMS should never by used for 2FA Tim Jackson (Apr 17)
- Re: Malicious SS7 activity and why SMS should never by used for 2FA Mel Beckman (Apr 17)
- Re: Malicious SS7 activity and why SMS should never by used for 2FA Dan Hollis (Apr 17)
- Re: Malicious SS7 activity and why SMS should never by used for 2FA Mark Tinka (Apr 18)
- Re: Malicious SS7 activity and why SMS should never by used for 2FA Mel Beckman (Apr 18)
- Re: Malicious SS7 activity and why SMS should never by used for 2FA Mark Tinka (Apr 18)
- Re: Malicious SS7 activity and why SMS should never by used for 2FA John Adams (Apr 18)
- Re: Malicious SS7 activity and why SMS should never by used for 2FA William Herrin (Apr 18)
- Re: Malicious SS7 activity and why SMS should never by used for 2FA John Adams (Apr 18)
- Re: Malicious SS7 activity and why SMS should never by used for 2FA Mel Beckman (Apr 17)
- Re: Malicious SS7 activity and why SMS should never by used for 2FA Tom Beecher (Apr 19)
- Re: Malicious SS7 activity and why SMS should never by used for 2FA Mel Beckman (Apr 19)
- Re: Malicious SS7 activity and why SMS should never by used for 2FA Mark Tinka (Apr 19)
- Re: Malicious SS7 activity and why SMS should never by used for 2FA William Herrin (Apr 19)
- Re: Malicious SS7 activity and why SMS should never by used for 2FA John Adams (Apr 19)
- Re: Malicious SS7 activity and why SMS should never by used for 2FA John Levine (Apr 19)
- Re: Malicious SS7 activity and why SMS should never by used for 2FA Mark Tinka (Apr 19)
- Re: Malicious SS7 activity and why SMS should never by used for 2FA Mike (Apr 20)
- Re: Malicious SS7 activity and why SMS should never by used for 2FA Mel Beckman (Apr 20)
- Re: Malicious SS7 activity and why SMS should never by used for 2FA Tim Jackson (Apr 17)
- Re: Malicious SS7 activity and why SMS should never by used for 2FA Tom Beecher (Apr 19)
- Re: Malicious SS7 activity and why SMS should never by used for 2FA Mark Tinka (Apr 19)