SMS as a 2FA Method

I’ll be the first one to admit that I jumped the gun a little when Twitter announced that their founder, Jack Dorsey, had his account hijacked.

Initially, no one (including yours truly) had details as to how his account was taken over. However, all fingers pointed at a SMS jacking, which wasn’t terribly far from the truth. The assumption was that this allowed them to use SMS combined with some knowledge of Jack’s password to access the account. That turned out to be inaccurate:

So, yeah, it wasn’t a 2FA hack, but it did show how fragile an account can be when SMS is involved. There’s a reason NIST deprecated SMS as an out-of-band factor of authentication when they updated their 800-63-3 standard.

SMS is still dominant as a method of two-factor authentication because it is one of the lowest barriers to entry, both for the identity provider (IdP) and the user. It is also arguably the least secure method, as Jack Dorsey’s case proved.

That said, if SMS is your only option for 2FA, use it. In the case of Twitter, it is not (much to their credit). You can use both an application based method (such as Microsoft Authenticator, Google, or Authy) and/or a Security Key leveraging FIDO’s Universal 2-Factor protocol (U2F). For account recovery, you can store a backup code in your password manager (or somewhere else).

A key can cost as cheap as $20 and can be used to secure a number of your critical accounts.

Twitter caught a lot of flack on this case, somewhat unfairly. That being said, I do think they should remove SMS as a method for 2FA. Mobile apps for 2FA are pretty ubiquitous and a low barrier to entry for all users. So help your user base out, and turn it off. That wouldn’t have saved Jack, but that is a post for another day.

Dropbox, 2FA, FIDO, and You

fbDusting the blog off for a PSA. Hopefully most of you are aware of the news surrounding Dropbox’s 2012 hack and some of the new details surrounding it.

Not going to say too much beyond this but simply request that my friends (or anyone who reads this) do the following:

  1. If you’re using dropbox, change your password, even if you’ve done it since 2012. Make the new password unique (avoid reuse especially for services like this), and strong.
  2. Please, please, please setup two factor authentication (2FA). This article walks you step by step thru the process. Do NOT opt for text messages as the form of verification. Easiest is using a mobile app. If you want a recommendation, go with Authy. Its a terrific mobile app and syncs across devices. It has the added benefit of working with a number of common services like Gmail, facebook, amazon, microsoft live, wordpress, evernote, tumblr, slack, and I’m sure a list of others.
  3. Consider, in addition to #2, buying a FIDO U2F compliant security token, like Yubikey to secure the account. It’s not as convenient for mobile, but is more secure in my opinion. Doing 1 & 2 gets you solid. #3 is even better.

Finally, seriously consider setting up 2FA for all your accounts that have it. If you aren’t sure if your service offers it, check  here. If they don’t, tell them to get it or consider a competitor. If they only have SMS/text for 2FA, consider a competitor.