SMS Text Message Login Codes Autofill in iOS 12 and Mojave, But Remain Insecure


(Glenn Fleishman) #1

Originally published at: https://tidbits.com/2018/10/04/sms-text-message-login-codes-autofill-in-ios-12-and-mojave-but-remain-insecure/

Apple streamlined two-factor login confirmations via text message in iOS 12 and macOS 10.14 Mojave. But using SMS to validate your login remains problematic because of phone number hijacking. Apple should lead the way to retire it.


(Simon) #2

I’m not sure I understand why we should give up on using text message 2FA because of phone number porting. Shouldn’t the proper response to the issue be that carriers are forced to ensure that I and only I can authorize them to move my phone number to another SIM or device? I would expect the carrier to be responsible for safeguarding my number since they are the only party who can do that. If they aren’t willing to do that, why should I be doing business with them in the first place?


(Glenn Fleishman) #3

Any system that relies on human frailty will fail.


(Doug Miller) #4

The answer is yes, the carriers should secure us from SIM hijacking, but they remain imperfect. What remains nearly impossible to hijack (if not impossible) is time-based one time passwords (TOTP), such as delivered by an applications like Google Authenticator or Authy, or even the method used by Apple with their devices, which delivers these messages to all devices using the Apple ID to approve a new login.

Here is a recent article detailing how easy it is to be SIM-hijacked: https://motherboard.vice.com/en_us/article/vbqax3/hackers-sim-swapping-steal-phone-numbers-instagram-bitcoin (and I apologize if this has been linked before.)

Plus the accompanying “what we can do to protect ourselves”: https://motherboard.vice.com/en_us/article/zm8a9y/how-to-protect-yourself-from-sim-swapping-hacks


(Paul Chernoff) #5

Phone companies are supposed to ensure that you are the person authorizing them to move your phone number to another SIM. But in reality this doesn’t happen often enough. The customer support people end up doing the move in the name of customer support. There is no reason to believe that the phone companies will get any better at it.

There is a big difference between “should” and “does.”


(Glenn Fleishman) #6

Yeah, I was being facile above, but that’s it. There’s no sensible way to use SMS reliably, because both the telephone switching system (SS7) used globally cannot be properly secured (allowing hacking and interception), and the way in which user accounts and phone portability has been designed prevents creating a process with enough identity integrity that it won’t frustrate average people who won’t be able to reliably cross the security bar.

Using an authentication app or Apple’s 2FA ecosystem makes vastly more sense if you actually want the extra security. SMS is more secure than single-factor password logins, but not secure enough as a continued path forward.


(Glenn Fleishman) #7

And if they make it harder, customers get frustrated and shift carriers — and they also add to the cost and burden of customer service. It’s a no-win situation. 2FA wasn’t designed to work over an insecure medium like SMS in the first place, which is why it’s not a good idea now.


(Simon) #8

So are providers who choose to have their customer service reps put convenience over security not getting sued big time when somebody gets defrauded of hundreds of thousands of $ and/or falls victim to identity theft with serious consequences?

I have to admit I have a hard time seeing how using a myriad of apps should offer better security. How many apps have had security issues? How many businesses (who issue these apps) have been hacked? How many app “stores” have suffered form hacking? iOS might be one thing, but what about the large rest of the world? On another note, how is using a plethora of apps to essentially do one thing (2FA) convenient? I don’t think a world where every online account I have also requires me to download some app that I essentially have to trust blindly is such a great perspective.

I guess I’m just asking a whole bunch of naive questions because the more I hear about the issue the more I wonder if 2FA was such a great idea to start out with. That said, it also sounds like a somewhat regional issue. Identity theft seems to be especially rampant in the US (compared to several western European countries I know). From what I gather perhaps because companies here are not really held to especially high standards when it comes to safeguarding their customers’ data and privacy.


(Glenn Fleishman) #9

The carriers have seemingly negotiated away some liability through disclaimers and disclosures, as I haven’t yet heard of a successful lawsuit. (They may make private settlements and force NDAs to avoid them.)

2FA is a great principle, and SMS isn’t technically a second factor by a lot of definitions. A second factor has to be disconnected from the first. It’s also not a myriad of apps. There are only a few apps that offer TOTPs that people recommend (Authenticator, Authy, Duo Security, and 1Password), and the other apps used for verification are made by the service provider (Facebook, Google, etc.), which has some liability and responsibility.

SMS was convenient, not the right choice.

It gets reported more here, but I cannot believe there’s less of it. A lot of the reporting in Europe will be in non-English languages, reflecting the majority of residents’ native tongues, so likely to be less visible than, say, identity theft in the UK, which is as much of a problem as in America.


(Doug Miller) #10

While I would argue that TOTP apps like Google Authenticator are a bit tech-heavy to explain to average non-technical user, it surely doesn’t require having a security app for each app that you own. Not only does a single instance of Google Authenticator/Authy work with online services from Google, Facebook, Dropbox, Twitter, Instagram, Amazon, Microsoft (and many others), now 1Password supports storing these TOTP codes for you, and can fill them as well as user ID and password for you. (One might argue that using 1Password to do this is putting all of your eggs in one basket, though.)

Google Authenticator’s great weakness is that there is no way to restore the codes, such as when you buy a new phone are restore from backup. Authy does offer a password-secured cloud backup of these codes, though.

A good, though old, article from TidBits about such a scenario (though the info about Apple is out of date): https://tidbits.com/2013/08/28/dancing-the-two-step-coping-with-the-loss-of-a-second-factor/

And an articles about getting started with 2FA using an app like Google Authenticator: https://www.wired.com/story/two-factor-authentication-apps-authy-google-authenticator/

And there is one other method not already mentioned: using a security key made by a company like Yubikey.


(David Weintraub) #11

Apple does have a two factor authentication system that handles the security issues that SMS two factor authentication has.

I wonder if it’s possible to open up to third parties. Not a fan of Google’s effort because they take so much effort.


(Glenn Fleishman) #12

Noted in the article, but it falls back to SMS (or a voice call).


(David Weintraub) #13

Yes, but Apple’s two factor authentication system isn’t available to other developers. Apple could open it up to them. If they did, then they’d have a secure and simple way of doing two factor authentication.

The fallback to text or voice call does cause security concerns. However, if for some reason you cannot do two factor authentication the secured way, what should the system do? Lock you out entirely? Maybe there could be a more secure way. Facebook allows you to choose five people who can vouch for you.


(Adam Engst) #14

I was thinking about why Apple doesn’t open their 2FA system up, but my suspicion is that if they let other developers use it, it would be much more likely to be exploited.

Most authentication app systems let you print out emergency codes; Apple could do something similar, although I think they’d probably go for a system that would rely on biometric information stored in the Secure Enclave if they could.


(Glenn Fleishman) #15

Apple could easily offer an authentication app for Android and Windows that could produce a location alert and code securely and very much like the baked-in versions in iOS and macOS, but perhaps would require launching the app and authenticating it, instead of providing a notification popup.

I just don’t think Apple has a motivation to do so.


(Horvath Adam) #16

A different but important problem with SMS based (or other phone based) 2FA is the fact that some users (as myself) access sites using different SIM cards (& phone#) while they travel. This --in addition to the fact that SMS services may not be reliably available in parts of the world-- practically eliminate 2FA with phone based second factor for most applications. Some banking services in Europe offer a physical “dongle” that generate a time-limited one time code, but physical objects have their own vulnerabilities (stolen/lost) and how many of these items one have to carry? Time for a better solution (IMHO)