Is tokenless (specifically SMS) 2FA a security compromise over OTP tokens?

Question

I've been looking into the various pros/cons of tokenless (particularly SMS based) and traditional token based two-factor authentication (think RSA SecurID). After doing some research, I think I have a better understanding of the two options when it comes to usability, cost, etc, but I'm having trouble finding good in-depth independent analysis of the security of each solution.

As I understand it so far, tokenless 2FA is cheaper and easier to deploy. I also appreciate that some people are less likely to forget their mobile than they are to forget their OTP token. Disadvantages include the fact that some level of SMS reception is required, although vendors have produced solutions to deal with this, including send the next code immediately after the last one is used, "day use" codes and sending multiple codes in each SMS. Am I right in thinking that these "solutions" are actually a bit of a security compromise? If so, how much of a compromise are they, realistically? I've also heard some say that going through the process of receiving the SMS each time can be a pain for regular users, with traditional tokens being more practical. Has anyone found this to be the case?

Advantages of traditional OTP tokens include the fact that no phone reception is required, and they're practical for regular users. Would you recommend deploying traditional tokens to employees that travel internationally (due to mobile reception issues)?

With tokenless 2FA being both cheaper and easier to deploy, you'd think that traditional tokens would be going out of fashion much quicker than they are. If you were to believe the marketing material from companies such as SecureEnvoy, the days of traditional OTP tokens are numbered. However, I get the impression this isn't quite the case. This leads me to think that many companies are sticking with traditional physical tokens because they believe them to be more secure than tokenless 2FA. Is this the case, or is it due to some other factor? Are traditional solutions like RSA SecurID just trading on the market position they've established in the past, or is there still case for physical tokens?

On first inspection, soft tokens seem to provide some of the benefits of SMS based tokens, without the requirement for SMS reception. If users have smartphones, would that be a better option? Is it a no-brainer to deploy soft tokens over SMS based to users of smartphones, or are there other factors to consider?

I'm aware that I've really asked a few related questions, so just to recap, my questions are:

a) Is tokenless 2FA (particularly SMS based) a security compromise over traditional tokens?

b) Are physical tokens still popular just because they're tried and tested, with companies like RSA trading on the reputation they've established, or is there still an objective case for sticking with physical tokens?

c) Have people found that SMS based 2FA is impractical for regular users and found themselves deploying physical tokens to those users?

d) Are the solutions such as "day use" codes and multiple codes in a single SMS much of a security compromise compared to the default of single codes being sent and stored in an SMS?

e) For users of smartphones, is it a no-brainer to deploy soft tokens rather than rely on SMS based 2FA?

f) Can anyone direct me to some appropriate literature that I should be reading to really get a feel for some of the above issues?

The questions are quite closely related, so I've kept them all together. Please let me know if you feel I should be seperating the above out into separate StackExchange questions.

Answer 1

a) Is tokenless 2FA (particularly SMS based) a security compromise over traditional tokens?

Yes SMS is better than just a password but the weakest of the forms of 2FA.

The main security risks are:

• Number redirection
• Phone stolen
• Transaction performed on the phone. This is a major one with the growth of smartphones and tablets capable of receiving iMessage type messages

Also like you said the operational considerations:

• SMS coverage. The options you stated such as sending two codes or a day code reduce the strength of the one time password as it is valid for a lot longer period and thus providing a greater window for compromise
• Cost of sending the SMS, especially if you need to send internationally
• Require battery

That said it is still the most convenient for users because:

• Most people have a phone capable of SMS and carry it with them always.

It also has a security benefit in that:

• users are far more likely to notice a missing phone rather than a missing token
• if the seed file and/or algorithm is compromised (e.g. RSA breech) it is far easier to replace a fleet of soft tokens or change the SMS OTP seed file and algorithm rather than a fleet of hard tokens

b) Are physical tokens still popular just because they're tried and tested, with companies like RSA trading on the reputation they've established, or is there still an objective case for sticking with physical tokens?

There is a objective case as they provide a fit depending on your threat model.

Of course there is also change resistance. Large companies that have deployed hard token infrastructure, deployed tokens, trained their users have to build a business case for the project not just that say SMS or soft tokens are cheaper and more convenient. Although with the RSA breach for example I know of quite a few companies that took the opportunity to move to soft tokens.

c) Have people found that SMS based 2FA is impractical for regular users and found themselves deploying physical tokens to those users?

The only times I have heard this are:

• A significant enough population of users do not have phones or phones capable of soft tokens and the company cannot be seen to discriminate
• Users are already trained in using hard tokens
• Users already have a hard token and it is easier to re-use than deploy and train for SMS
• International users and the cost of sms or difficulty sending local sms is prohibitive

d) Are the solutions such as "day use" codes and multiple codes in a single SMS much of a security compromise compared to the default of single codes being sent and stored in an SMS?

Yes as they reduce the strength of the one time password as it is valid for a lot longer period and thus providing a greater window for compromise

e) For users of smartphones, is it a no-brainer to deploy soft tokens rather than rely on SMS based 2FA?

Not necessarily. A threat model still needed, a soft token still can be compromised more easily than a hard token. Smart phones are computers, they can still get malware, applications can gain access to your seed or OTP and transmit it elsewhere.

Also the operational considerations mentioned above. If it is a mining environment is a hard token that needs a new battery every few years and is more resistant to dirt, variation in temperature, liquids going to be better?

f) Can anyone direct me to some appropriate literature that I should be reading to really get a feel for some of the above issues?

Oldie but a goodie: http://www.isaca.org/Journal/archives/2007/Volume-3/Pages/Analyzing-the-Security-of-Internet-Banking-Authentication-Mechanisms1.aspx

Answer 2

a) Is tokenless 2FA (particularly SMS based) a security compromise over traditional tokens?

You could say that SMS and mobile phones are less secure as a medium. Companies like RSA often point out the weaknesses, but remember that RSA is obviously biased. Of course, RSA itself has shown us that token-based solutions are also vulnerable to compromise.

There are arguments for sms-based tokens being more secure. As I mentioned, a hardware token has a fixed algorithm that may potentially be compromised and reproduced without the user ever knowing. However, a SMS token doesn't have to follow any predictable algorithm; the code can be completely random. Furthermore, SMS tokens may have some benefits when it comes to repudiation (or non-repudiation) because the physical location of a mobile phone is tracked and one could go back and correlate that with a particular login.

Another thing is that an SMS code could also be effective in preventing a MITM or at least require it to be so elaborate that it would eliminate the feasibility of most of these attacks (a cool thing would be a SMS code combined with a soft token to be able to authenticate both the server and the client).

b) Are physical tokens still popular just because they're tried and tested, with companies like RSA trading on the reputation they've established, or is there still an objective case for sticking with physical tokens?

Physical tokens do have the benefit of being able to produce a code independent of any electronic channels that could potentially be snooped or otherwise compromised. They also have the ability of being standardized across a company, not requiring a device that could fail or a battery that frequently runs out, can be waterproof and more rugged in general. Some tokens such as the Yubikey must be plugged in to a USB port which verifies the actual existence of the token (but also requires an internet connection to authorize). Physical tokens can also be combined with proximity cards for physical access. And of course physical tokens such as smart cards may contain PKI certificates that can be used for other encryption or authentication purposes. So yeah there are benefits to them.

e) For users of smartphones, is it a no-brainer to deploy soft tokens rather than rely on SMS based 2FA?

Overall, I don't think you can argue that any of these techniques is significantly stronger or weaker than any other from a security standpoint (they all have their strengths and weaknesses). Either way, any token combined with a user password will greatly boost security.

On the other hand, there can be a huge difference in price, manageability, and support overhead between the different technologies.

If you do something like HOTP or TOTP you can use soft tokens, physical tokens, or even web-based tokens if necessary. I use google authenticator on my phone and I have six different tokens from different places. It is free and supports both HOTP and TOTP standards. But I also use a Yubikey for some accounts, the DIGIKEY token to login to PayPal, and SMS-based to login to facebook.

Answer 3

IMO the security level of SMS based authentication is much higher than with traditional tokens in some important scenarios. Namely it's secure in the common case of a trojan infected PC for online banking, whereas most traditional tokens utterly fail in this situation.

The difference is that the phone displays the amount of money and target account, whereas the number produced by a traditional token can be repurposed by the trojan. For example it might display "Transfer 100$ to Alice" but uses the token to "Transfer 1000$ to Eve".

Answer 4

Why SMS 2FA is better and probably more secure than its Token counterpart.

1. You don't need a server with its own security weakness to install the software for Token 2FA.

2. You have a separate device that provides 2FA where you can isolate it in the network. Ever seen someone install software for Token 2FA in the same server where LDAP and RADIUS is installed?

3. Most people have a mobile phone.

   1. A person typically values his phone more than the token.

   2. When a person loses his phone, he immediately make a police report.

   3. As a Token is smaller than the phone, the probability of losing it without immediately noticing is high.

4. From what I understand, RSA has been compromised in 2011.

There is no 100% security. You have to be one step ahead of the hacker or he is one step ahead of you. Security is not only whether the product you are using is from a giant, reputable, tested vendor. It doesn't make them God on security.

Answer 5

I agree with Rahkki and Mark above. The key thing to realize is that SMS is not a software token that includes some type of encryption you control. SMS is basically email and about as secure. The carriers are dis-incented to secure their users' accounts, use encryption, etc, etc. More here: https://www.wikidsystems.com/WiKIDBlog/another-nail-for-sms-authentication/why-using-sms-for-authentication-is-a-bad-idea

Answer 6

Ok so here are my answers to your questions.

(a) A big NO. There is no security compromise in tokenless 2FA (SMS based or otherwise). Tokenless 2 factor authentication is equally safe if not more to any Token based 2FA.

(b) I believe that physical tokens are still in use because companies had chosen them initially and now it is inconvenient to shift to a tokenless 2FA. But the companies who are implementing 2FA for the first time are choosing tokenless 2FA over traditional 2FA.

(c) No, In fact it is the other way around. More people are going for tokenless 2 factor authentication.

(d) There might be some risk involved in ""day use"" codes and multiple codes in an SMS, but it is not very significant.

(e) Software tokens have their own threats such as computer viruses and software attacks.

(f) You can read the wiki page on 2FA. http://en.wikipedia.org/wiki/2FA