The Weak Link in 2FA? Perfectionism.

Published September 06, 2017 by Parth Awasthi

It might be a cliché to call web security an arms race, but like all good clichés, it’s based in truth. While it’s hard for even the best-known tech firms to secure their properties entirely, there are simple steps beyond standard passwords that you can take to protect your site’s users.

Passwords alone are no longer enough for two key reasons:

  1. Users love to reuse passwords among different services. It’s convenient.
  2. In a world where just one leak exposes a billion user account details, there’s a good chance that some of your users have chosen a password that they’ve also used in a compromised account.

That second one is the kicker, driving home the point that good web security is not a lock and key as much as it is a war of attrition.

By building a series of defenses, you stand a better chance of defeating attackers. Of course, one of the most prominent additional defenses is two-factor authentication (2FA). But in efforts to implement perfect 2FA, are we reducing the number of people who can benefit from it?

Two-factor authentication via SMS or app

Let’s cover the basics of 2FA to better understand where intelligent compromises could mean protection for a broader user base. Two-factor authentication relies on your end-user having two of three things:

  • something they know (usually a password)
  • something they have (such as a cellphone)
  • something they are (a thumbprint, for example).

Most 2FA relies on the first two: a password and a cellphone. Verifying the “something they have” is often handled in one of three ways:

  • PIN code sent via SMS: anyone with a cellphone can use this
  • App-based (not internet reliant): an app generates an expiring code—based on a secret key plus the current time—and the user enters this in the website login form. Google Authenticator works this way.
  • App-based (internet connection required): the app asks the phone holder to confirm the login, often displaying a token in both the web login and the app. Microsoft’s Authenticator works this way.

Arguably, each of these is more secure than the last. However, perfect is the enemy of good. Anyone with a mobile phone can use SMS-based two-factor authentication. The Google Authenticator style requires a smartphone. The Microsoft Authenticator style requires a smartphone and a reliable data connection.

2FA that transcends device, OS limitations

As of 2016, there were 7.3 billion mobile phone subscriptions worldwide. That’s around one cellphone per human on Earth. In western countries, it’s a pretty safe bet that a mobile subscription is associated with a smartphone: 77% of US cellphones are smartphones, for example. In sub-Saharan Africa, smartphone penetration drops below 50%.

The definition of smartphone varies, too. Whereas in the West most smartphones are likely to be a fairly recent Android or iOS device, that’s not always the case elsewhere. Devices running discontinued platforms such as FirefoxOS and Ubuntu Touch specifically targeted lower-income markets, meaning that a smartphone penetration figure may not have the same meaning between different countries.

And then, of course, there’s the Android update problem. Android device manufacturers are notoriously slow in releasing OS updates and, in many cases, they discontinue security updates altogether. Although Google plans improvements to the release process, operating system updates will remain the responsibility of device vendors. The result is millions of insecure Android devices and a thriving ecosystem of Android malware targeting them.

Finally, there’s the issue of user resistance to installing yet another app. If your 2FA is optional and requires a special app to be installed, some users will opt for the risk of less security.

In a world where smartphone penetration is uneven—to say the least—and we can’t trust that smartphone platforms are as secure as we’d like, SMS provides a reliable baseline.

That’s not to say that SMS is perfect but neither is app-based 2FA.  Web security is not about achieving perfection: it’s about providing as many good-enough defenses as it takes to dissuade attackers.

SMS means no additional app for users to install and it means offering additional security to everyone.

Improving SMS 2FA security

SMS-based 2FA does carry the risk of bad actors taking control of a user’s phone number, such as by fraudulently porting the number to another network or having another telecoms provider report that number as currently roaming on their network.

Both of these assume the attacker would see enough value in intercepting the code to justify the elaborate effort.  Your users are unlikely to be targets of such involved attacks. Even if they were, it’s relatively simple to add safeguards that protect against them.

Each phone number has identifying characteristics beyond its digits. Using an API, such as Nexmo’s Verify API, you can learn those characteristics—phone subscription type, network, and roaming status—and apply them to additional security checks. If you record these attributes when a user first registers via two-factor authentication, you can then recheck them each time before you send a 2FA SMS. If anything has changed, it’s time to ask the user to take additional steps to prove their identity.

SMS means 2FA for everyone

SMS-based two-factor authentication allows you to offer additional security to the greatest number of potential users worldwide. It’s relatively low effort for your users, it is available on every mobile device and it costs little to implement. Check out Nexmo’s 2FA API to see just how quickly you can improve the security of your web logins.

Leave a Reply

Your email address will not be published.