Page 1 of 1

Best Practices - 2FA - SMS and Phone Type?

Posted: Mon Sep 18, 2017 12:38 pm
by URSnshn
A couple of questions on security setups with respect to two factor authentication and SMS vs receiving codes via phone:

1) Even if you have to use SMS rather than Google Authenticator, Authy; key; or other methods, etc., IT IS BETTER to have 2FA, then not have it. Correct?

2) Is SMS more or less secure in general than a phone call with the code? So, if you have no choice but to use one or the other to get the code - which is more secure a phone call? or text?

3) And, if you go with a phone number to receive your codes ... what is the order of security here from less secure to more secure: Cell, landline (same as cell as it can be ported), voip, google voice?

4) If the phone number isn't used and/or associated with my name does make a difference or am I missing something.

Re: Best Practices - 2FA - SMS and Phone Type?

Posted: Mon Sep 18, 2017 12:47 pm
by Hyperborea
URSnshn wrote: Mon Sep 18, 2017 12:38 pm A couple of questions on security setups with respect to two factor authentication and SMS vs receiving codes via phone:

1) Even if you have to use SMS rather than Google Authenticator, Authy; key; or other methods, etc., IT IS BETTER to have 2FA, then not have it. Correct?

2) Is SMS more or less secure in general than a phone call with the code? So, if you have no choice but to use one or the other to get the code - which is more secure a phone call? or text?

3) And, if you go with a phone number to receive your codes ... what is the order of security here from less secure to more secure: Cell, landline (same as cell as it can be ported), voip, google voice?

4) If the phone number isn't used and/or associated with my name does make a difference or am I missing something.
1) I think it is questionable and possibly weaker to a concerted attack to have the SMS authentication. Some institutions give you no choice however and you must get an SMS or email secondary login code.

3) Use Google Voice. There are no human operators to social engineer. You can lock your phone number from being ported. You can use a Google account separate from your mail account (either a different GMail account or email somewhere else) you use for the financial account in question.

4) That's obfuscation and it may slow or even prevent an attack but there are no guarantees. If you were to go this route then maybe some sort of "burner" phone that has no name on it. This however will cost you some money and the GV option is free and likely more secure.

Re: Best Practices - 2FA - SMS and Phone Type?

Posted: Mon Sep 18, 2017 1:10 pm
by runner3081
One thing to keep in mind. Many phone authorization systems do not accept Google Voice/FreedomPop/etc numbers. They need a real cell number through a cell service.

Have run into this numerous times lately. Most recently Uber and CVS.

Re: Best Practices - 2FA - SMS and Phone Type?

Posted: Mon Sep 18, 2017 1:20 pm
by keystone
URSnshn wrote: Mon Sep 18, 2017 12:38 pm A couple of questions on security setups with respect to two factor authentication and SMS vs receiving codes via phone:

1) Even if you have to use SMS rather than Google Authenticator, Authy; key; or other methods, etc., IT IS BETTER to have 2FA, then not have it. Correct?
Let's say someone ports your mobile number and now has control of it. Then they hit the "forgot my password" option and get an SMS message sent to the number. Now this person has control of your phone and email. This doesn't seem like 2FA with SMS is better than not having it.

Re: Best Practices - 2FA - SMS and Phone Type?

Posted: Mon Sep 18, 2017 2:51 pm
by Xpe
keystone wrote: Mon Sep 18, 2017 1:20 pm
URSnshn wrote: Mon Sep 18, 2017 12:38 pm A couple of questions on security setups with respect to two factor authentication and SMS vs receiving codes via phone:

1) Even if you have to use SMS rather than Google Authenticator, Authy; key; or other methods, etc., IT IS BETTER to have 2FA, then not have it. Correct?
Let's say someone ports your mobile number and now has control of it. Then they hit the "forgot my password" option and get an SMS message sent to the number. Now this person has control of your phone and email. This doesn't seem like 2FA with SMS is better than not having it.
It's definitely better to have 2fa than to not have it. Gaining access to someone's email isn't as simple as just having gained access to their incoming text messages - try it, see how many other pieces of info you would need besides the SMS verification code in order to access your gmail. (I just tried it and was satisfied). Beyond gmail, very few if any services use your second-factor as a password reset mechanism, which makes it impossible for 2fa to decrease security on those sites, even if your attacker has your sms codes.

Plus, if you're concerned about someone porting your phone number, it's very easy to secure your phone account against that type of attack. Verizon for example won't even talk to you if you are unable to enter the account PIN (so everyone should enable account PIN!) and I think you can set security questions as well (set random alphanumeric answers and store them locally).

Re: Best Practices - 2FA - SMS and Phone Type?

Posted: Mon Sep 18, 2017 3:07 pm
by Ndop
Telco's generally require PINs when you call in, but what if you forget or lose it? Will they never allow you access again? They will give you access again if you can give enough identifying info. Post-equifax, a criminal could get enough info to impersonate you and sweet talk a customer service rep into transferring your phone number to a different phone. So an account PIN alone is not enough to be maximally secure.

Re: Best Practices - 2FA - SMS and Phone Type?

Posted: Mon Sep 18, 2017 3:36 pm
by Xpe
poordad wrote: Mon Sep 18, 2017 3:07 pm Telco's generally require PINs when you call in, but what if you forget or lose it? Will they never allow you access again? They will give you access again if you can give enough identifying info. Post-equifax, a criminal could get enough info to impersonate you and sweet talk a customer service rep into transferring your phone number to a different phone. So an account PIN alone is not enough to be maximally secure.
I can only speak for Verizon, but you literally cant talk to anyone unless you enter your PIN. If you forgot your pin, they send you a temporary PIN to your number. If you don't have access to your phone (broken, lost, etc) then you have to go to a Verizon store and provide photo ID etc.

Re: Best Practices - 2FA - SMS and Phone Type?

Posted: Mon Sep 18, 2017 4:09 pm
by Texanbybirth
What if the number you give for SMS 2FA is someone else's number, like I use my wife's number for my Gmail 2FA and she does vice versa for her's?