Understanding the strength of mobile two-factor and alternatives to this

Question

I'm currently using two-factor between my Mac and iPhone. And I also use it for my Google account. (Those are the two only ones at the moment.)

How I can protect access to my accounts if I don't have a mobile phone?

First, I'd like to understand if two-factor on a mobile phone is stronger than using a two-factor method that does not involve a mobile phone? If so, what particularly about a mobile phone makes it more secure? Is it because mobile phones have SIM cards, and no-one can get a SIM card without signing up with full name with a phone carrier, etc.?
What alternatives do I have for two-factor for Apple ID / Gmail that does not involve a mobile phone? (Preferably something that does not require obtaining a physical item or signing up for some paid service.) Can sending a token by encrypted email be used, for example?

SMS as a second factor is not recommended. Would you consider a two-factor app on a phone that has no SIM? I do that with an old phone. It's just an authentication device. — schroeder, May 24 '17 at 13:28
"two-factor" as you use it in your first point is very broad - what do you mean by the term? An app? An SMS code? — schroeder, May 24 '17 at 13:29
Maybe I've got the terms mixed up. But by "two factor", I mean that it's impossible to log in to an account only using a password. You have to somehow get a one-time code from another device or account, thereby increasing the security. The question is how I can achieve this without a phone at all. (And understanding where specifically the strength lies in the device we know as a mobile phone.) — forthrin, May 24 '17 at 13:39
ok - you're using the term correctly - did you know that you can use a non-phone iPod app as a 2FA code generator? — schroeder, May 24 '17 at 13:51

score 1 · Answer 1 · answered May 24 '17 at 14:07

Relying on anything controlled by a mobile carrier is a bad idea. SMS is insecure by design (it transits in plain text) and mobile carriers don't care about security unless it interferes with their ability to scam their customers, so they couldn't care less if there's a bad guy pwning their infrastructure and intercepting 2FA texts en masse (given the horrors I've seen at a major UK carrier I wouldn't be surprised if most carriers already have advanced malware planted somewhere deep in their infrastructure).

For email you could set up your own fake "email" server that responds to email queries (with the site's name) and responds with the corresponding 2FA code. Internally that server would be mimicking the functionality of the "authenticator" apps (TOTP/HOTP are open standards and the online services don't know nor care whether you're using a smartphone app or some obscure solution like this one). You'd be connecting to the email server securely and you'd have some scripts that interpret incoming email queries and putting the responses (with the codes) directly in its "inbox" IMAP folder for your email client to pick up.

According to this article, intercepting SMS is not straight forward. https://security.stackexchange.com/questions/11493/how-hard-is-it-to-intercept-sms-two-factor-authentication — forthrin, May 24 '17 at 18:23
1. Making a fake email server sounds like quite a low level job. Is there some ready-to-use software for this? 2. And how would you make Google/Apple talk to your fake email server in the first place? — forthrin, May 24 '17 at 18:25
@forthrin "How is data secured within the provider's network, and between the provider and the server which wants the SMS to be sent, is out of scope of the GSM specification" so yeah. The other (very good answer) focuses on data transiting between the phone and GSM tower while my answer is about the bigger picture, including the network equipment at the provider and their business policies which prioritise scamming over security. — André Borie, May 24 '17 at 19:42

score 1 · Answer 2 · answered May 24 '17 at 14:14

What particularly about a mobile phone makes it more secure?

Nothing, at least as I am aware of. The reason some of the current Two Step Factor Methods are based on phones and locally stored secrets is that people are more likely to remember their phone than to carry a token generator around with them, so basically, convenience and availability of the use case.

What alternatives do I have for two-factor for Apple ID / Gmail that does not involve a mobile phone?

There are plenty of alternatives, although most all of them involve some extra piece of hardware. Sending the Token over email would require the email to be secure with more than a password and username, otherwise you lose the "Multi Factor" aspect completely. The point is to get some extra piece of "proof" that it is the correct user, but if you get the token to your email, someone who already has access to your account just has to check your inbox for the token. One thing you might want to check out are USB sticks that hold the secret keys / certificate to authenticate you, but in a corporate setting that would mean enabling the USB ports, which introduces another attack surface. However for a private user that might not be a big deal.

Would email be acceptable if you used a secondary email account 1) with a strong password, and 2) with encrypted email content. — forthrin, May 24 '17 at 18:27
I would assume that that would work, but it seems pretty redundant. A great password & encryption is nice, but the point of these tokens and especially Multi Factor Authentication is that, in addition to knowing username and password, you also have access to the secret. You prove that by entering the tokens (HOTP/TOTP as mentioned in another answer here). If the secret is also on the same pc then it doesn't prove that you are in the same location as your pc. — PositriesElectron, May 24 '17 at 20:07
How does it affect security if: 1) Phone and PC are on the same Wi-Fi 2) PC is tethering the phone's 4G connection. 3) Instead of a phone, another PC is used (on the same Wi-Fi) — forthrin, May 25 '17 at 08:29

Understanding the strength of mobile two-factor and alternatives to this

2 Answers2