SMS-based authentication continues to be a great way to placate a user into thinking they are safe while creating an avenue for attackers to gain access to their accounts. Fabio Assolini and Andre Tenreiro from Kaspersky published some research that puts numbers in fraud losses to these threats. SIM Swaps cost criminals $10-15/SIM with gains from fraud being over $1,000.
That’s a good return on investment.
It’s why I’ve become a huge fan of U2F and other non-SMS authenticators (see my guide here). Companies like Yubico have made real multi-factor authentication doable for the masses with zero client-side infrastructure.
Major companies like Google and Facebook are leading the charge to remove SMS-based authentication and account recovery options by allowing users the option to completely disable SMS. Ironically, this makes the authentication process for posting vacation photos more secure than your bank (if they use SMS-based auth).
Enter another tech darling, Dropbox. I’ve been exchanging emails with their support people over the last couple of weeks to see if I could disable SMS. Their official response from support was:
Currently it would not be possible to disable the SMS option completely. This step ensures that you have a backup method, in case a device doesn’t support your security key.
OK, I understand why. Not every device, such as an iPhone, will fully support a U2F authenticator (yet). But, why not include other options such as the Google Authenticator rolling codes or a push notification to another device already logged in (Apple does this well)? Ironically, Yahoo has figured out better authentication options than Dropbox—and we all know the only thing Yahoo is good for is their fantasy football platform.
https://twitter.com/BrandenWilliams/status/1144228219090063362Ultimately, it’s up to all of us to push the platforms we rely on to leverage safer authentication technologies, or at least provide safer configurations for the growing community of users who distrusts SMS-based authentication.
Possibly Related Posts:
- Ten Things Companies Get Wrong About CIAM
- Protect Yourself and Freeze Your Credit
- Selective Domain Filtering with Postfix and a SPAM Filtering Service
- Preventing Account Takeover, Enable MFA!
- Proofpoint Patches URL Sandbox Bypass Bug