U.S. Government Says SMS Codes Aren’t Safe

Megalith

Megalith

24-bit/48kHz
Staff member
Joined
Aug 20, 2006
Messages
13,000
The National Institute of Standards and Technology has declared that SMS is dangerous for two-factor authentication. One reason they give is that SMS is linked to a SIM, which can be compromised by manipulating carriers. Suitable alternatives would include hardware (dongles) or software (apps) solutions that generate unique keys.

The goal of a 2FA system is to help guarantee that the person logging in with your password is actually you rather than a hacker who has guessed or stolen your password, or recovered it by cracking the passwords in a password dump from a hacked web site. “Two factor” refers to the fact that the system uses more than one way of verifying your identity – the password is the first factor, and the SMS code is one way of providing a second factor. There are several problems with SMS-based systems that led NIST to decide that SMS-based systems are insecure.
 
i'm shocked. SHOCKED! even!
not-shocked-face.jpg
 
evilsofa said:
Meanwhile, ssa.gov has just this week emailed everyone announcing their new SMS-based 2FA system to protect "My Social Security" accounts.

/facepalm
Click to expand...

I saw this earlier in the week and thought for sure it was fake. It's unbelievable. The website actually says that if you do not have a phone that can receive text messages you CANNOT use the Social Security website to view your account. Who the fuck thought that was a good idea??? Do they not consider that their "customer base" was born before personal computer was even a word????

More Information About MFA


We implemented multifactor authentication (MFA) to comply with Executive Order 13681, which requires federal agencies to provide more secure authentication for their online services.

Now, all new and current my Social Security account holders will need to provide a cell phone number able to receive text messages. People will not be able to access their personal my Social Security account if they do not have a cell phone or do not wish to provide the cell phone number.

We understand that not everyone may have a cell phone or cell service. However, research shows that an overwhelming majority of American adults have cell phones and use them for texting. So you can go fuck yourself (-ok ok I added that part)
Click to expand...
Thanks Obama.
 
  • Like
Reactions: AK0tA
like this
ok you learn something new (deleted everything i just typed then) you can use google 2FA now without having to use SMS 2FA auth as a backup (i guess that change happened when they added Yes/No or Security Key options or that i have Never tryed deleting all the mobile numbers before) at least i know my google account is secure now

as just removed all my mobile numbers from my account and its fine (wont let me use Security Key at the same time with Yes/No enabled, but the Security Key is probably less secure than my phone Yes and no as the key only requires me to insert it and press the button the fob, the Yes and No requires me to unlock the phone first before i press yes/no)

only issue i have come across with google is the password reset it still requires an email or phone number to recover the account (unlike MS where you have a 1 time use Very long recovery code) , unless its delayed there seems to be no way to use the phone to say yes or no to password reset or use backup codes to reset the password forcing you to use a single factor for password reset (or you have to tell your life by Verify your identity by answering multiple questions about your account. which can take days to get back into the account if you provide correct info or enough info) i most likely going to just tell my mobile operator to require identity before porting out or sim replacement and re add number password reset until google fix there password reset (it should use my 2FA options for password reset not 1FA email or number as it cida defeats the point of having 2FA enabled on my account if they can just simply reset my password and disable 2FA)

at the moment the weakest link is mobile operator with 2FA SMS and people using SMS as auth

at least 2 mobile operators i have talked to was to easy to get into it and at least one that is online only you can move the number onto another Sim card once your logged in within 5 minutes (same network new sim card) and steal the number fully within a day (port out to another network) there are no protection mechanisms apart from username and password
 
Last edited:
I would never trust them with my phone number anyway so have never used that option.
 
It's better than not having it. To meet NIST standards for higher security stuff, something better should be used. This would include things like government VPNs, mail access, etc. So what? Doesn't mean your average websites should stop using SMS for MFA. They should however strive to also offer something better, but it's not the end of the world for consumers that don't likely have nation state hackers after them.
 
Last edited:
Is there anyway to have one push type authentication less dependent on the device it is installed to?

I always hated that about One push and type based authentication, it seems to reliant on the device it is installed to that if it stops functioning it'll be PITA to get the account back. I use for for two accounts, only because those two offer 2FA, but don't offer SMS.

With SMS, even if my phone suffered a direct nuclear strike, I would still be able to log into my account so long as my carrier continues to exist (which isn't an issue, it's only semi-privatised atm).
 
So we are being forced by SSA to use a class of devices that have some of the highest levels of being compromised as a way to improve security? Typical clueless government policy.
 
The US government is no longer safe or trustworthy so why should I believe anything they say. This entire system is a hoax.
 
  • Like
Reactions: Rahh
like this
You must log in or register to reply here.
Back
Top