7

Design flaws related to SS7 has been known to us for quite a while now but telcos have conveniently discarded the arguments saying that the risk is too low due to the significant investments required for performing the attack. But considering the recent news that hackers have performed a real world SS7 attack to bypass 2FA and siphon off funds, it is pretty clear that the return of investment in these attacks will cover for the costs.

Should we, as application developers and pen testers consider SMS based 2FA as a weakness?

Improve this question
1
  • 1
    I suspect it depends on the context. If the choice for some legacy system is SMS or no 2FA, probably better to have the SMS on. If there is an option for TOTP or similar, that'd be better...
    – Matthew
    Commented May 4, 2017 at 16:08

1 Answer 1

Reset to default
5

The newest draft of the NIST Digital Identity Guidelines deprecates the usage of Two Factor Authentication via SMS.

I would recommend utilizing Google Authenticator (or similar technology) to facilitate 2FA moving forward, and abandon SMS based out of band verification.

Improve this answer
2
  • 1
    That was a draft and has been revoked; the latest version has no such recommendations.
    – Martin Schröder
    Commented Aug 10, 2018 at 11:24
  • 1
    @MartinSchröder, but in the finalized version, SMS and other telephone based out-of-band factors are RESTRICTED. There are tons of services using SMS that I have seen, and NONE of them meets the restricted standards except perhaps Microsoft, and even that is a sketchy interpretation of the standard.
    – NH.
    Commented Dec 13, 2018 at 20:39

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .