Websites often send a code to a cell phone number for verification. Is this secure? If it is not secure, are there any better alternatives?
Asked
Active
Viewed 5,600 times
18
-
3It i a weak second factor and since many Attacks to Mobile numbers have been known (apps, new SIM cards, ss7) it is no longer allowed for some more important use cases. However it is still an easy additional factor with low entry barrier (the lowest besides email address), also many services use this to reduce the opportunity to set up fake accounts as the number of sim contracts you have access to is a cost factor. – eckes Jul 14 '20 at 13:04
-
4The original question asked "Is this a secure way to validate the ownership of mobile number? Are there any issues with it?" -- I think the very short question as-is at the moment doesn't make much sense anymore. "Is this secure?" - for what?! – Martin Jul 14 '20 at 21:42
-
Does this answer your question? [How hard is it to intercept SMS (two-factor authentication)?](https://security.stackexchange.com/questions/11493/how-hard-is-it-to-intercept-sms-two-factor-authentication) – craq Jul 15 '20 at 01:13
-
3@craq That question and answers from 2012 don't appear to mention SS7 at all, when a simple search on "SS7 2FA" reveals that this is now a [significant problem](https://www.vice.com/en_us/article/mbzvxv/criminals-hackers-ss7-uk-banks-metro-bank) that has been actively exploited. – Zach Lipton Jul 15 '20 at 04:05
-
1Editing a question in a way that invalidates existing answers is generally considered inappropriate behavior across the entire Stack Exchange network. @LoneLearner -- please don't do that, and consider rolling the edits back to the original meaning, and asking a _separate_ question with the new one. – Charles Duffy Jul 15 '20 at 22:44
-
Secure by which means? What do you want to achieve? – Nico Haase Jul 16 '20 at 05:52
3 Answers
21
If it is not secure, are there any better alternatives?
It's secure for certain threat models, and the best tradeoff for accessibility vs attack surface. To intercept an SMS, you have to have some control over the routing of the messages or the device receiving it.
Without privileged information / insight provided at the carrier level, SMS is the best authentication method available despite its flaws including convincing users to send a 3rd party the code when they receive it.
If you need a stronger confirmation of some kind of connection between identity and a user online, you probably require something that's not a phone to be involved. Mailing a hardware token that is paired with a code displayed to the user is more secure, but it's also more costly and slower. Fido2 stands to prevent replay, but doesn't permit a sense of scarcity that phone numbers do as most people won't pay the money to be able to register lots of phone numbers unless you're getting into attestation signatures and that opens a whole new can of worms...
Each of these "stronger" solutions address different problems and raise additional cost and complexity burdens put upon either the company, the end user, or both. SMS remains the most attainable target for the general public.
Jeff Ferland
- 38,090
- 9
- 93
- 171
-
5...or just get access to the network the messages are delivered upon, as has been widely reported. For example: https://www.theverge.com/2017/9/18/16328172/sms-two-factor-authentication-hack-password-bitcoin If easy TOTP and HOTP solutions weren't readily available with good free clients for everything ranging from web browsers, desktops, and mobile devices / wearables, I'd agree that SMS would be an acceptable second factor despite the risk. But since those things do exist, SMS falls to a distant second in my personal estimation. – dannysauer Jul 14 '20 at 15:23
-
5[HT]OTP methods are superior for security, but as noted above don't provide resource scarcity, connection to a phone number, and require higher knowledge from the user including not losing the token secret when they damage or lose a device. – Jeff Ferland Jul 14 '20 at 18:15
-
2I don't think it is possible to claim that it is the "best tradeoff" or the "best authentication method available" without specifying an application, or the preferred level of trade-off between security and usability. In my opinion, having been the victim of identity theft via my mobile number, I prefer OTP. – craq Jul 15 '20 at 01:07
-
1I should add that OTP has a major advantage in that it can work without being connected to a network (i.e. in "airplane mode", in the middle of nowhere, or while roaming). – craq Jul 15 '20 at 01:17
-
@craq Another (probably rare, depending on one's home/job) example of not being connected is right in the middle of a large metropolitan, but not getting tower reception due to thick walls, I've been unlucky enough to always got a place where I get high speed internet through wifi but not even enough signal to receive an SMS – Martheen Jul 15 '20 at 04:42
-
That said, *teaching* users on how to back up their TOTP apps/recovery code so they don't lose it when their phone got lost/broken is far harder than offloading such recovery to mobile operators. Snooping text through SS7 exploit or just naughty apps would have to become even more rampant before websites consider pushing more for TOTP rather than SMS – Martheen Jul 15 '20 at 04:42
-
Ever heard of "SIM swap attack"? People have lost millions of dollars as a result of targeted attacks where SMS verification was all that was required to access the service. – Aleks G Jul 15 '20 at 09:26
-
Telling people to use authy or lastpass or one of the other systems where the OTP secret is backed up usually works out ok... as long as they don't use the same password for that as they used for services to begin with. – dannysauer Jul 15 '20 at 19:49
19
Originally this question wasn't about SMS verification (e.g. for password recovery or MFA), but validation of the phone number. This answers to that question.
The purpose of the verification is not to validate ownership of the number, but only access to it. Verifying the ownership of a subscription would be a legal thing and require legal documents. Parents typically own the subscriptions for their children, workplaces for the employees etc. Furthermore, there's no need to verify the ownership, as the use cases are related to the access.
You are requesting for a better verification than SMS, but SMS is the easiest verification available, as there's not that many methods that are both bound to the number and accessible by its user. Well, the system could call the user and a robot could tell the secret, but that doesn't add anything, because phone calls could be listened, too. It would also be a nightmare to hearing impaired.
On the other hand, there's no really need for stronger authentication, as the purpose is to prevent mistyping the number, possibly rendering e.g. MFA unavailable for the user. From the sites perspective the verification might also be for avoiding unnecessary messages to third parties, if you accept SMS notifications or even advertisement.
Esa Jokinen
- 16,100
- 5
- 50
- 55
-
2The reason I am concerned about Google, Facebook, and others using SMS for verifying user's access to mobile number is that later when an account gets locked, they use the same phone number to unlock the account. – Lone Learner Jul 14 '20 at 05:00
-
-
3@user253751 Any number of reasons, but the most common is in response to the system detecting anomalous activity typically indicative of an attempt to compromise the account. – Austin Hemmelgarn Jul 14 '20 at 13:30
-
3The original question was about **verification/validation of the phone number**, not about verification using the phone number (after it has been validated). This answer is for the [original](https://security.stackexchange.com/revisions/234641/3) question, and therefore it's phrased like this. – Esa Jokinen Jul 14 '20 at 20:11
-
Is this answer US-centric? In South Korea, what Americans might call 2FA via text message is referred to as "identity verification" (본인인증), and the process seems very much meant to demonstrate *ownership,* not access. For example, to watch age-restricted YouTube videos, you need to verify a name, SSN, and cell number. – Max Jul 15 '20 at 03:35
-
-
@Max Maybe it's South Korea that's more restrictive? Indonesia being conservative force safe-search to be enabled on Google & Bing, no way to opt-out without using VPN or 3rd party DNS, but age restricted-YouTube videos is just a click away. Identity number is used mostly for financial services to combat money laundering. The closest equivalent to SK is probably the abandoned UK censorship proposal and upcoming Australia's censorship proposal – Martheen Jul 15 '20 at 05:00
-
Ever heard of "SIM swap attack"? People have lost millions of dollars as a result of targeted attacks where SMS verification was all that was required to access the service. – Aleks G Jul 15 '20 at 09:24
-
Yes. Originally this question wasn't about SMS verification for password recovery or MFA, but validation of the phone number. I think I should add this at the beginning of my answer... – Esa Jokinen Jul 15 '20 at 10:30
1
There is a type of attack on these verification systems that has existed in the wild for a couple of years (at least).
Here is how it works:
An attacker calls the target institution posing as an account holder and requests services.
Another attacker working in tandem calls the victim posing as a representative of the same institution investigating possible account fraud.
Institution asks attacker one to verify identity. Attacker one then attempts to use mined information to advance to the SMS verification stage. Attacker two then tells target to expect a verification code as part of the account resolution process.
Target receives valid SMS from institution, which they then relay to attacker two. Code is passed to attacker one, who authenticates with the institution and makes a transaction.
Zaphod
- 11
- 1
-
1I'm not sure that this is unique to SMS codes. You could do the exact same thing with TOTP codes. – schroeder Jul 15 '20 at 19:09