Two years ago, the National Institute of Standards and Technology (NIST) proposed the deprecation of SMS two-factor authentication (2FA) because it was getting too easy for attackers to steal authentication codes from victims. The U.S. carriers AT&T, Verizon, Sprint, and T-Mobile announced a new, supposedly more secure solution to replace SMS 2FA.
SMS 2FA Deprecation Long-Overdue
Two-factor authentication still isn’t as popular as it should be. A recent report said that only 10% of Gmail users enabled it despite the fact that those Gmail accounts could not only contain sensitive personal information, but they could also give access to virtually all of a user’s online accounts, too.
John Podesta, Hillary Clinton’s presidential campaign chairman, learned this the hard way, as did many other people who suffered attacks against their email accounts that could have been saved if they had enabled 2FA.
However, most online services hardly even offer 2FA on their sites, let alone mobile app authentication or authentication through a hardware security key. TwoFactorAuth.org has compiled a relatively comprehensive list of online services that offer 2FA security if you want to learn more.
Most of the sites that do offer 2FA as an option typically only allow authentication through a SMS code, and this is still true even after NIST announced the deprecation of SMS-based 2FA two years ago.
Threat Of SS7
There are multiple ways in which attackers could get your SMS 2FA code, including by calling the carriers and pretending to be you and wanting to port your number to their phone. Then, they would be able to request a SMS code that’s tied to whatever online account they’re trying to hack.
However, perhaps the easiest way to do it is through the Signaling System Seven (SS7), a system that connects calls and SMS messages from one carrier to another. Representative Ted Lieu showed two years ago how easy it was for someone to intercept his calls using this method. He then asked carriers to fix it as soon as possible. However, we haven’t heard much from the carriers about it work on that front in the time since.
New Carrier Authentication Solution
The four major U.S. carriers joined together in the Mobile Authentication Taskforce to develop “a highly secure and trusted multi-factor authentication platform powered by the carrier networks” that could be used by both enterprises and consumers to secure their devices against hacking.
The GSM Association (GSMA) also seems to have been involved in this effort. Alex Sinclair, Chief Technology Officer at the GSMA, said the following in AT&T’s post:
As mobile becomes the remote control for day-to-day life, mobile identity is key to making things simpler and more secure for consumers.
The GSMA has been working with operators around the world to bring a consistent and interoperable, secure identity service and this taskforce will strengthen that effort by enabling a simple user experience quickly and conveniently in the US market.
According to AT&T, this new solution will deliver a cryptographically-verified phone number and profile data for users authorized applications with their consent. On its own, this shouldn’t do much, as it would simply guarantee that a number is real. However, the security of the solution will also be backed by the IP address, SIM card attributes, phone number tenure, phone account type, and more.
Is It More Secure Than SMS 2FA?
This carrier-based mobile authentication solution will essentially check multiple phone and network attributes to see if the person with a phone number is who they say they are. However, at first glance it looks like most of that security-related metadata could be easily spoofed by potential attackers. After all, it’s trivial to spoof an IP address or a phone’s type. SIM card attributes may be harder to spoof, but it’s not exactly out of the hands of more sophisticated attackers.
The whole solution may the primary goal to replace SMS 2FA, but at the same time it looks like it’s designed for convenience. AT&T hasn’t released more details yet, but it doesn’t seem that this solution would require a code from the user.
We’ve reached out to AT&T to gain more insight into how it works on a more technical level and whether or not it’s designed to have built-in “lawful intercept” technology that would allow law enforcement agencies to disable the security guarantees when requested.
Ultimately, whatever the security guarantees of this new technology are, they will have to be proven in the real world. The carrier taskforce will begin testing the technology in the next few weeks, and consumers will have access to it by the end of the year.