1

A bank offers two factor authentication in two forms. The first is SMS to a registered phone number (registration done at bank branch). The second is a provided hardware token.

Both options are provided for every login (you don't have a choice), upon successful authentication using password.

What benefits (if any) are there of a valid user consistently choosing the hardware token option at the login screen? Note that an attacker with the correct password can always trigger the SMS option.

Note to comments: I do know that SMS is "weaker" than a hardware token for 2FA implementation.

User43234
  • 43
  • 5
  • 2
    Security-wise, the token is dedicated hardware and very unlikely to be compromised, while phone malware is a risk. There are other issues: the token works in areas with no phone signal. Also, a token is a one-off cost, while the SMS is an ongoing cost. – paj28 Oct 28 '16 at 00:14
  • 1
    Are you aware of NIST's guidance on the weaknesses of SMS for 2FA? – schroeder Oct 28 '16 at 07:22
  • 1
    Disagree with the duplicate - this question is about the users choice when both are available, the other about what the bank should provide. – Anders Oct 28 '16 at 07:49
  • @Anders: the choice depends on the advantages and disadvantages of each of the solutions, no matter if the bank or the user has to choose. And these problems are discussed in the answers to the other question in detail. – Steffen Ullrich Oct 28 '16 at 08:11
  • @SteffenUllrich I would say that the last sentence of the question makes the difference, but I do not know the answer so I might be wrong. – Anders Oct 28 '16 at 08:38
  • 1
    @User43234: *attacker with the correct password* - I'm not sure if I understand this part correctly: are you required to have the SMS option (i.e. must give a valid and reachable phone number) and can an attacker which only knows the password setup or change the phone number for SMS even if 2FA with hardware token is already enabled? – Steffen Ullrich Oct 28 '16 at 09:12
  • @SteffenUllrich This website will only ask for the second factor (something you have) if the first factor (something you know) is provided correctly. An SMS option is mandatory. – User43234 Nov 08 '16 at 09:28
  • @SteffenUllrich A user can only change the SMS number at the bank branch. – User43234 Nov 08 '16 at 09:29

2 Answers2

3

SMS is not as intrinsically secure as a locally-run algorithm like HOTP; there is always the possibility of a compromise in the network. For most people, though, this isn't within their threat model.

Personally, I don't use SMS as a second factor, because it isn't in my setup. I've long used Google Voice, and now use Google Fi, and so my text messages can also be accessed through my Google account. This no longer makes it a "something you have", but just another "something you know".

Hardware-based tokens have an additional protection over phone-based tokens (even HOTP/TOTP apps) because they're operating on much simpler hardware: it's much more difficult to compromise a Yubikey than an Android phone.

Xiong Chiamiov
  • 9,384
  • 2
  • 34
  • 76
  • And a separate token with its own display and possibly keypad is near impossible for even a reasonably sophisticated attacker to tamper with undetectably, whereas intercepting a SMS in transit is possible to do stealthily. – user Oct 28 '16 at 14:31
2

Liability.

If the bank offers you two levels of security and you choose the lower one, then you are accepting the lower security. If that lower security is compromised (as Xiong states), then you accept that liability.

There was a court case (in the US) where a bank offered 2FA, and the client didn't choose to use it at all. The client had money stolen. The bank refused to compensate them, and claimed that the client accepted that liability when they didn't use the 2FA. Court Agreed. Client appealed (pending).

So, if you are the client, and you always take the HW 2FA, and someone hacks in with SMS, then you have a better legal defense.

(Sometimes Security questions are not about security, they are legal issues.)

MikeP
  • 1,159
  • 7
  • 12
  • Yes but in most countries, the law are strict that the intrusion must have happened over the channel with lower security. Example: You select only password to your bank account. A fraudster makes a fake ID card in your name and uses it to empty the bank account, and no one is requesting password, and would not request 2FA if it would be enabled on account. Then you will be reimbursed, even if you have 1234 as password. But its very clear that you will be NEVER reimbursed, regardless of if you select password, SMS, 2FA or whatever, if that authentication solution is compromised to empty acc. – sebastian nielsen Oct 28 '16 at 04:36
  • because if the authentication solution is compromised, it means the account holder did contribute to the risk, for example by sharing passwords/codes, installing malware, or not storing the token well safe enough. So if you take HW 2FA *AND* enable SMS on account, you would still be liable. But if you don't enable SMS, they can't hack in with SMS, thus you would not get the money stolen at all. So theres no liability problems anyways. – sebastian nielsen Oct 28 '16 at 04:39
  • @MikeP: Which court case was it? – User43234 Nov 08 '16 at 09:38
  • 1
    @User43234 http://personalmoneystore.com/moneyblog/ocean-bank-online-fraud/ – MikeP Nov 08 '16 at 16:22