WingNews logo WingNews
top | item 40046156

(no title)

alufers | 1 year ago

I know everybody says how bad SMS 2FA is, and how we should replace it with the next cool thing $BIGCORP invented (thus requiring you to have an account with them, which only defers the problem).

But couldn't we pressure the telecoms to improve it?

I have an idea that would make SIM swaps way harder to execute. Namely a website that wants to authenticate you should be able query the telecom for some kind of SIM card ID. This would happen before sending a 2FA code.

With such a feature it would be easy to store the SIM card ID in a database when enrolling the phone number. Later when the user tries to authenticate and the ID does not match what saved before, the account is locked out. For enterprise accounts you would need to explain yourself to IT and for personal accounts a fallback 2FA would have to be used. Alternatively the authentication would be delayed for a few days to give the legitimate owner of the SIM card time to react.

Another thing that could be added on top of this is to send a SMS to the old "inactive" SIM, alerting the original owner of the attack.

EDIT: To add to this, here are some advantages of SMS 2FA over time based OTP or passkeys:

1. My grandma can use it with her dumb phone and poor digital skills. 2. Your SIM card will most likely survive if your phone is destroyed due to water or physical damage. (Sadly not true for eSIM) 3. You can dictate an SMS/OTP code over the phone, or forward it to somebody you trust. 4. Banks can append a short description of what you are currently authorizing. It can tip you off in case your computer is infected with malware, or you are victim to one of those TeamViewer scams.

discuss

order

pcai|1 year ago

I think this is conceptually wrong from a layering perspective because youre punching through the abstraction and making it leaky on purpose. This just moves the problem down one layer in the stack - there will be legitimate new use cases for “sim card ID spoofing” and then we’re back to square one. Also from a usability standpoint “getting a new phone” is precisely the wrong time to lock users out of their accounts

A perfect analogy would be trying to implement security with mac addresses but applied to internet. It just makes a mess of an abstraction layer and then you have to rebuild it because those abstractions were useful (mac address spoofing has legitimate uses because mac addresses were used for security and then people realized they needed to be able to transparently swap things out)

mjmahone17|1 year ago

In your scheme, how do I transfer money from my bank after my phone is stolen and I need to get a new phone without access to the original sim? Or access my email?

If that’s just impossible, how do I fix the issue? A “fallback 2FA” what is that exactly?

alufers|1 year ago

Probably one time use recovery codes you are supposed to print and keep in a safe place. In case of a bank this could also mean a trip to the nearest branch for ID verification.

The same issue you mentioned applies to other 2FA methods. Your TOTP codes and passkeys also live on your phone, Yubikeys can be stolen too.