Friday, October 5, 2018

SMS Text Message Login Codes Autofill But Remain Insecure

Glenn Fleishman:

Sites originally chose to use SMS-based code validation for 2FA to lower the barriers to  2FA—more people understand SMS than authentication apps. And, regardless of the vulnerabilities of SMS, it’s far better to use a second factor than not, because it deters wholesale attacks against accounts. Even if an attacker gained access to all the decrypted passwords for a service, every account with 2FA enabled would still be able to resist unauthorized logins. But SMS-based 2FA is vulnerable to targeted attacks and identity theft.

Apple’s proprietary 2FA system for macOS and iOS remains extremely robust, but it still allows the use of SMS and voice calls as a backup when trusted devices aren’t available.


While it’s admirable Apple has streamlined SMS code entry, it would be even more so if the company would kickstart the move away from SMS.

2 Comments RSS · Twitter

It's even more insecure in countries like Russia, where authorities or a party with access to corrupt telcom employee can quickly and temporarily redirect SMS traffic.

While it makes sense to shutdown the fraud door with SMS and phone calls realistically that's not an option with any general consumer facing product. For more techie oriented products you can remove those options and if you lose your second factor you lose your phone. Do that with the typical consumer and tell them their $1400 phone is now bricked because they lost their password.

Leave a Comment