Jack Dorsey, famous for co-founding Twitter, is in the news currently as his Twitter account was hijacked. Most stories have been pains to point out that Twitter wasn’t directly attacked: instead, they went for his mobile phone. This raises the question: if you use your phone for authentication, how secure is it?
Authentication - proving you are who you say you are - is often done by password alone. However, for many systems, this isn’t good enough: passwords are easily guessed, broken or shared. For sensitive data, you want a stronger system. “Two-factor authentication” (or, “2FA”) refers to having two pieces of evidence to authenticate a user: usually a password plus something else.
You’ll have seen this in your online banking or other sensitive applications. Ideally, the second factor is genuinely independent: it shouldn’t be two different things you remember, for example (although even some banks get this wrong!). Knowing that many users have mobile phones, an SMS text has been a common second factor. When you enter your password, the system sends a PIN to your phone, and you have to enter that also.
2FA is thought of as a gold-standard for authentication. While an attacker might be able to guess a password remotely, they would find it difficult to both guess a password and break into a phone. But, like any system, it’s only as secure as the factors involved.
How was Jack’s account broken into?
As the news stories say, this was a SIM-swapping attack: a new SIM card was issued for Jack’s phone number, and attackers could send SMS as if they were Jack. It turns out, they didn’t get into his Twitter account at all: instead, they used the SMS-to-Tweet sevice that Twitter provides to send SMS messages from Jack’s number. These were automatically gated into Jack’s Twitter feed.
I initially found this explanation quite surprising, because if you have control of a mobile phone number, there are much more sophisticated attacks available. In particular, it’s more common that an attacker would do an account reset, using the captured phone number as part of the reset process. However, this can also give the game away to the intended victim, as they would likely see any reset messages as well.
There are many users of SMS-based authentication. HMRC use SMS messages to verify logins, and many banks will send SMS messages to verify credit card transactions, just as two obvious examples. We’re becoming much more reliant on using our phones as authentication devices, since we always have them with us.
Are phones good for 2FA? Generally, no. A lot of the authentication we do is on the phone in the first place: logging into your email, for example. If your phone stores the password for your mail account and receives the verification by SMS, you’ve taken an OK two-factor process and turned it into a single-factor authentication again: if an attacker has your phone and can unlock it, that’s it.
It’s not straightforward to take over someone’s mobile phone number, and it still requires considerable luck / knowledge to execute - for one thing, you need to know the victim’s phone number. Sometimes that’s a matter of public record, but that would be rare.
Here’s the thing, though: there are already much stronger forms of authentication available than SMS. All modern phones have hardware chips installed which can conduct secure forms of authentication: if you use a fingerprint or your face to unlock the phone, you’re already using this technology.
You may have also seen this on your computer: for example, if you log into Windows 10 with a PIN, you’re almost certainly using some hardware support.
This hardware support is a good thing because it locks the authentication to the specific hardware device you’re using. With the PIN as an example, it doesn’t matter if an attacker elsewhere has your PIN - without the laptop or phone, they can’t use that to get into your account. Taking over a mobile phone number cannot give them access in this scenario.
Specific authentication applications, like Google’s or Microsoft’s authenticators, also use this hardware. As they rely on push notifications which are tied to your device, they’re also secure from other forms of take-over. Separate devices, like Yubikeys, can also be a great answer here, and many of them are now mobile-friendly in some way.
Think about business continuity
As with most things, an upside in one area comes with a similar downside in another. In this case, increased reliance on hardware security devices makes it that much more important you plan for business continuity. This is particularly important with your phone, which is much more likely to get damaged or lost.
At my current count, spread over three authentication systems, I have about 12 hardware-locked 2FA code systems. If I lose my current phone, I need to make sure that I can restore all of these onto a new device. This is generally straightforward, if time-consuming, if you have your old device with you - transferring accounts from one to another isn’t always possible, but you can always use the old device to verify the new one.
However, if you lose the current device for whatever reason, can you get back into your account? There may be a number of options:
- password reset via a separate system (often e-mail). This isn’t necessarily great from a security point of view, though, and it’s also not going to help you get back into your e-mail specifically!
- account reset via customer services. For some systems this may not even be possible, but it will definitely be time-consuming
- temporary account codes. Most 2FA systems will allow you to generate a set of one-time use passwords you can use in a reset situation. Make sure you download these before you have any problems, and keep them in a safe place!
With my most recent phone, it took me about a half hour to restore my various authentication credentials - much longer than I expected. If your role involves any sort of organisational business continuity (for example, if your job is to get servers up and running again after problems) you should also think about whether there are scenarios where you have to restore your personal access before you can go and restore the services you’re managing, too.
Last but not least, many businesses have mobile devices under organisational control - and this is brilliant for hardware management. If a device gets lost or stolen, you can often issue a remote wipe or otherwise disable the device and the data on it. But remember, this can also be done accidentally or maliciously: any 2FA data or applications will be damaged by any remote wipe as well! Do your threat scenarios include an attackers breaking into your Office 365 and remote wiping the mobile devices of your administrators? I can tell you now, that will not be a happy position to be in.