Comment on Millions of people imperiled through sign-in links sent by SMS
irotsoma@piefed.blahaj.zone 2 days agoProblem is finding something that is universal that is a “something you have” is difficult to find that almost everyone has. Almost everyone has a cell phone these days, so it’s a good option to use as that kind of factor. Email is a second “something you know” factor (I.e. via the password to your email account) and could be the same something if you use the same password. And getting someone to carry yet another device even if it’s simple like a Yubikey or something like that can be difficult. And unless biometric devices become universal on computers as well as phones, the “something you are” factor is hard to accomplish universally as well.
So, what options do you think are better that can be a “something you have” for use as a second factor to a password or other type of “something you know” factor?
artyom@piefed.social 2 days ago
TOTP or passkey are my preferred MFA options
irotsoma@piefed.blahaj.zone 2 days ago
SMS 2FA is TOTP, just the code is sent via SMS and the key is never shared with the user. But the issue with those apps seems to be even more problematic than SMS from the issues mentioned, e.g. changing phone numbers is not as common as changing phones or other catastrophic events that might cause the keys to get lost. And if you store passkeys or TOTP generating keys in the cloud, then the factor is no longer “something you have” because anyone can get the keys if they get the password to the thing storing the keys. SMS based TOTP leaves the keys only with the site you’re logging into and only the time sensitive TOTP codes are ever sent out. And although the lifetime period for sms TOTP has to be longer, they are additionally expired on single use (assuming it’s implemented properly).
artyom@piefed.social 2 days ago
You know what I meant.
And anyone can get the keys to your phone number much more easily using the methods detailed in the OP.
irotsoma@piefed.blahaj.zone 1 day ago
That’s the thing though, with SMS 2FA you don’t have the keys at all, so you can’t generate codes, you only get the code you intercept. Same with email based, but with sms, the message has to be intercepted in a timely manner, which is much more difficult for SMS than if they already have your password that’s used for your email account. Plus the issues with SMS not being encrypted only really exists on 2G services which they really need to get rid of, or at least disable at the account level so 2G only works for emergency calls. 4G and up are significantly more secure (not perfect but requires much more complex hardware and knowledge of secrets from the cell company) and generally require the hacker to be masquerading as the user on the cellular network. Otherwise, hack the cell provider which is how a lot of the archived messages they mentioned are retrieved, because, yeah, they usually aren’t stored encrypted. But if the TTL of the TOTP code is 10-60minutes and single use as well as invalidated once a new code is sent like a bank or really any decent system should, archived message caches aren’t useful.
The issue mentioned in the article is totally separate. These are links that you can log in without needing to even know a username, much less a password, associated with that code. Guessing a random code generated for a specific account is much more difficult, not to mention needing the password. The article is more hypothetical in the actual security of the SMS messages going to a particular phone for a particular account and more about how bad the links being generated are since if you get one link from any insecure sms message you can access many random accounts as well as the one you intercepted and no other factor, even user id, is needed to use the links. So you can send one code just to your own account and then use that to hack others without even having to intercept anything nefariously.