Bill, You don’t even have to bother with social engineering, as Bruce Schneier points out in his blog from last month:
https://www.schneier.com/blog/archives/2021/03/easy-sms-hijacking.html "It turns out that with a little bit of anonymous money — in this case, $16 off an anonymous prepaid credit card — and a few lies, you can forward the text messages from any phone to any other phone.” -mel On Apr 18, 2021, at 8:24 AM, Mel Beckman <m...@beckman.org<mailto:m...@beckman.org>> wrote: Although NIST “softened” its stance on SMS for 2FA, it’s still a bad choice for 2FA. There are many ways to attack SMS, not the least of which is social engineering of the security-unconscious cellular carriers. The bottom line is, why use an insecure form of communication for 2FA at all? Since very good hardware-token-quality OTP apps are freely available, why be so lazy as to implement 2FA using radically insecure SMS? Your argument that 2FA is only meant to “enhance” the security of a memorized password is just wrong. 2FA is meant as a bulwark against passwords that very often are disclosed by data breaches, through no fault of the password owner. 2FA enhances nothing. It guards against the abject security failures of others. Consider this sage advice from 2020, long after NIST caved to industry pressure on its recommendations. https://blog.sucuri.net/2020/01/why-2fa-sms-is-a-bad-idea.html -mel On Apr 18, 2021, at 8:02 AM, William Herrin <b...@herrin.us<mailto:b...@herrin.us>> wrote: On Sun, Apr 18, 2021 at 7:32 AM Mel Beckman <m...@beckman.org<mailto:m...@beckman.org>> wrote: SMS for 2FA is not fine. I recommend you study the issue in more depth. It’s not just me who disagrees with you: https://www.schneier.com/blog/archives/2016/08/nist_is_no_long.html Mel, That Schneier article is from 2016. The 3/2020 update to the NIST recommendation (four years later and the currently active one) still allows the use of SMS specifically and the PSTN in general as an out of band authenticator in part of a two-factor authentication scheme. The guidance includes a note explaining the social engineering threat to SMS authenticators: "An out of band secret sent via SMS is received by an attacker who has convinced the mobile operator to redirect the victim’s mobile phone to the attacker." https://pages.nist.gov/800-63-3/sp800-63b.html#63bSec8-Table1 The bottom line is that an out-of-band authenticator like SMS is meant to -enhance- the security of a memorized secret authenticator, not replace it. If properly used, it does exactly that. If misused, it of course weakens your security. Regards, Bill Herrin -- William Herrin b...@herrin.us<mailto:b...@herrin.us> https://bill.herrin.us/
