Fang Talks

~zod is ok
31 07 17

Phone auth

Not as secure as you may think.

There’s been a lot of buzz around multiple-factor authentication lately. Some services have been offering this for quite a while, by sending temporary login codes to your phone via text message. Hell, my bank does this! But text messages really aren’t a very secure channel to send such data over.

Problem is, it’s not super difficult to man-in-the-middle texts, read them out and maybe even change them up before routing them to your phone. They’re not encrypted. What’s more, your phone number is easily spoofed, so someone with malicious intent could call whatever company runs the site they’re trying to get into and pretend to be you.

Of course there’s also the issue of losing your phone or getting it stolen. “But I have a lock screen password!” Sure, but are text messages displayed on the lock screen regardless? And even then, you need to trust your phone to stay secure once in the hands of an attacker. This is doubly true for authenticator apps.

For real security, dedicated physical keys seem to be the way to go. I should get one.
~ Fang


Post a comment

Your email will stay hidden, required field are marked with a *.

Experimental anti-spam. You only have to do this once. (Hint: it's "Fang")