The Limits of SMS for 2-Factor Authentication

  • 8 September 2016
  • 2 replies
  • 13 views

Userlevel 7
Badge +54
7th September 2016
 
A recent ping from a reader reminded me that I’ve been meaning to blog about the security limitations of using cell phone text messages for two-factor authentication online. The reader’s daughter had received a text message claiming to be from Google, warning that her Gmail account had been locked because someone in India had tried to access her account. The young woman was advised to expect a 6-digit verification code to be sent to her and to reply to the scammer’s message with that code.
 
http://krebsonsecurity.com/wp-content/uploads/2016/09/2fa-580x596.pngMark Cobb, a computer technician in Reno, Nev., said had his daughter fallen for the ruse, her Gmail account would indeed have been completely compromised, and she really would have been locked out of her account because the crooks would have changed her password straight away.
 
Cobb’s daughter received the scam text message because she’d enabled 2-factor authentication on her Gmail account, selecting the option to have Google request that she enter a 6-digit code texted to her cell phone each time it detects a login from an unknown computer or location (in practice, the code is to be entered on the Gmail site, not sent in any kind of texted or emailed reply).
 
Full Article

2 replies

Userlevel 7
Been saying this for a while now especially when you hear companies trumpeting that they are moving to 2FA...a bit like closing the barn door once the horse has bolted...2FA is now passe and 3FA is the way to go for the moment.
Userlevel 7
Badge +7
Answers long standing questions i've always had about SMS 2FA.  Comments section is full of info also.  I have in the past had a couple of Google Authentication Codes appear out of the blue.  Knowing they were false,  I simply deleted them.  For me it was very informative.  It seems that we must question and be constantly skeptical of everything in our cyberworld.  Just saying.  >>>

Reply