nanog mailing list archives
Re: Malicious SS7 activity and why SMS should never by used for 2FA
From: Mark Tinka <mark@tinka.africa>
Date: Sun, 18 Apr 2021 17:48:46 +0200
On 4/18/21 15:04, Mel Beckman wrote:
As far as I know, authenticators on cell phone apps don’t require the Internet. For example, the Google Authenticator mobile app doesn't require any Internet or cellular connection. The authenticated system generates a secret key - a unique 16 or 32 character alphanumeric code. This key is scanned by GA or can be entered manually and as a result, both the authenticated system and GA know the same secret key, and can compute the time-based 2nd factor OTP just as hardware tokens do. There are two algorithms: HOTP and TOTP. The main difference is in OTP expiration time: with HOTP, the OTP is valid until it hasn’t been used; TOTP times out after some specified interval - usually 30 or 60 seconds. For TOTP, the system time must be synced, otherwise the generated OTPs will be wrong. But you can get accurate enough clock time without the Internet, either manually using some radio source such as WWV, or by GPS or cellular system synchronization.
It's quite likely that most institutions (especially financial ones) will prefer to use their own homegrown app-based authenticators. But again, those require a smartphone, which is still not the most basic pathway.
The good news - I just ran a test to log on to my banking profile from my laptop. I disconnected my phone from the world (Airplane mode) and while the app complained about not having Internet access, it was still able to generate a log-on, transaction or re-authentication code. So that helps. But that's just one of them... the other banks I use either don't have apps that replace physical authenticators, or require an Internet connection for 2FA. Thankfully, none of them require SMS to authenticate.
Nearly all the banks use SMS to either confirm a transaction has taken place, or to deliver an OTP to complete a transaction (but don't use SMS to do the initial or follow-up authentication).
Some of them are sending secure messages to confirm (and notify about) transactions within their apps, in lieu of SMS.
Mark.
Current thread:
- Malicious SS7 activity and why SMS should never by used for 2FA Eric Kuhnke (Apr 17)
- Re: Malicious SS7 activity and why SMS should never by used for 2FA Tim Jackson (Apr 17)
- Re: Malicious SS7 activity and why SMS should never by used for 2FA Mel Beckman (Apr 17)
- Re: Malicious SS7 activity and why SMS should never by used for 2FA Dan Hollis (Apr 17)
- Re: Malicious SS7 activity and why SMS should never by used for 2FA Mark Tinka (Apr 18)
- Re: Malicious SS7 activity and why SMS should never by used for 2FA Mel Beckman (Apr 18)
- Re: Malicious SS7 activity and why SMS should never by used for 2FA Mark Tinka (Apr 18)
- Re: Malicious SS7 activity and why SMS should never by used for 2FA John Adams (Apr 18)
- Re: Malicious SS7 activity and why SMS should never by used for 2FA William Herrin (Apr 18)
- Re: Malicious SS7 activity and why SMS should never by used for 2FA John Adams (Apr 18)
- Re: Malicious SS7 activity and why SMS should never by used for 2FA Mel Beckman (Apr 17)
- Re: Malicious SS7 activity and why SMS should never by used for 2FA Tom Beecher (Apr 19)
- Re: Malicious SS7 activity and why SMS should never by used for 2FA Mel Beckman (Apr 19)
- Re: Malicious SS7 activity and why SMS should never by used for 2FA Mark Tinka (Apr 19)
- Re: Malicious SS7 activity and why SMS should never by used for 2FA William Herrin (Apr 19)
- Re: Malicious SS7 activity and why SMS should never by used for 2FA John Adams (Apr 19)
- Re: Malicious SS7 activity and why SMS should never by used for 2FA John Levine (Apr 19)
- Re: Malicious SS7 activity and why SMS should never by used for 2FA Mark Tinka (Apr 19)
- Re: Malicious SS7 activity and why SMS should never by used for 2FA Tim Jackson (Apr 17)