Summary ‘SMS authentication is no longer sufficient for system management’ – Rian van Heur, AG Connect, 7 August 2018
SMS-authentication is no longer sufficient for IT-administration
SMS authentication is the most commonly used variant of 2-factor authentication, but SMS authentication is not infalliable. Online discussion platform Reddit advises against the use of SMS authentication, and encourages users to use 2-factor token authentication. Last week, it became clear that a hacker had gained access to the online platform by intercepting an authentication SMS. How safe is logging in with SMS authentication? Six questions and answers.
1. SMS authentication is not 100% secure, is this new?
According to Fox-IT’s principal IT Security Expert Francisco Dominguez, it has long been known that SMS can be intercepted. ‘’in view of technical progress, it is becoming increasingly easy to intercept SMS. The question is, of course, how easy it will be in the future, because providers are evolving as well. But we must not forget that SMS is sent through the air from various points without encryption.’’
2. In what way scan SMS messages be intercepted?
According to Dominguez, there are various methods of intercepting SMS messages, such as the SIM swap, in which a malicious party obtains a new SIM card via a shop. Another method is to use social engineering to convert a number to a different provider.
3. Is SMS no longer safe to use as an authentication method?
“SMS is not necessarily unsafe, and in any case, it is safer than not using any authentication’’, says Dominguez. However, for important data, he recommends a different method of authentication.
4. So what is considered a secure authentication method?
Better security is provided by an authentication application on the phone, such as Google Authenticator. Dominguez calls Universal 2nd Factor, also abbreviated to U2F, the safest method to date. ‘’This authentication method provides good protection against phishing attacks, because the URL is also checked during the login process.’’
5. Is setting up a different authentication method easy for an administrator?
For administrators of an application it requires adjustments and extra work. According to Dominguez, the most difficult step is to get users to actually use 2-factor authentication.
6. To what extent is 2-factor SMS safe for administration tools?
Dominguez recommends not to connect the administration tool login page to the internet, to use U2F tokens, or to use an authentication app.