SMS Text Message Login Codes Autofill in iOS 12 and Mojave, But Remain Insecure

Originally published at:

Apple streamlined two-factor login confirmations via text message in iOS 12 and macOS 10.14 Mojave. But using SMS to validate your login remains problematic because of phone number hijacking. Apple should lead the way to retire it.

I’m not sure I understand why we should give up on using text message 2FA because of phone number porting. Shouldn’t the proper response to the issue be that carriers are forced to ensure that I and only I can authorize them to move my phone number to another SIM or device? I would expect the carrier to be responsible for safeguarding my number since they are the only party who can do that. If they aren’t willing to do that, why should I be doing business with them in the first place?

Any system that relies on human frailty will fail.

The answer is yes, the carriers should secure us from SIM hijacking, but they remain imperfect. What remains nearly impossible to hijack (if not impossible) is time-based one time passwords (TOTP), such as delivered by an applications like Google Authenticator or Authy, or even the method used by Apple with their devices, which delivers these messages to all devices using the Apple ID to approve a new login.

Here is a recent article detailing how easy it is to be SIM-hijacked: (and I apologize if this has been linked before.)

Plus the accompanying “what we can do to protect ourselves”:

Phone companies are supposed to ensure that you are the person authorizing them to move your phone number to another SIM. But in reality this doesn’t happen often enough. The customer support people end up doing the move in the name of customer support. There is no reason to believe that the phone companies will get any better at it.

There is a big difference between “should” and “does.”

Yeah, I was being facile above, but that’s it. There’s no sensible way to use SMS reliably, because both the telephone switching system (SS7) used globally cannot be properly secured (allowing hacking and interception), and the way in which user accounts and phone portability has been designed prevents creating a process with enough identity integrity that it won’t frustrate average people who won’t be able to reliably cross the security bar.

Using an authentication app or Apple’s 2FA ecosystem makes vastly more sense if you actually want the extra security. SMS is more secure than single-factor password logins, but not secure enough as a continued path forward.

And if they make it harder, customers get frustrated and shift carriers — and they also add to the cost and burden of customer service. It’s a no-win situation. 2FA wasn’t designed to work over an insecure medium like SMS in the first place, which is why it’s not a good idea now.

So are providers who choose to have their customer service reps put convenience over security not getting sued big time when somebody gets defrauded of hundreds of thousands of $ and/or falls victim to identity theft with serious consequences?

I have to admit I have a hard time seeing how using a myriad of apps should offer better security. How many apps have had security issues? How many businesses (who issue these apps) have been hacked? How many app “stores” have suffered form hacking? iOS might be one thing, but what about the large rest of the world? On another note, how is using a plethora of apps to essentially do one thing (2FA) convenient? I don’t think a world where every online account I have also requires me to download some app that I essentially have to trust blindly is such a great perspective.

I guess I’m just asking a whole bunch of naive questions because the more I hear about the issue the more I wonder if 2FA was such a great idea to start out with. That said, it also sounds like a somewhat regional issue. Identity theft seems to be especially rampant in the US (compared to several western European countries I know). From what I gather perhaps because companies here are not really held to especially high standards when it comes to safeguarding their customers’ data and privacy.

The carriers have seemingly negotiated away some liability through disclaimers and disclosures, as I haven’t yet heard of a successful lawsuit. (They may make private settlements and force NDAs to avoid them.)

2FA is a great principle, and SMS isn’t technically a second factor by a lot of definitions. A second factor has to be disconnected from the first. It’s also not a myriad of apps. There are only a few apps that offer TOTPs that people recommend (Authenticator, Authy, Duo Security, and 1Password), and the other apps used for verification are made by the service provider (Facebook, Google, etc.), which has some liability and responsibility.

SMS was convenient, not the right choice.

It gets reported more here, but I cannot believe there’s less of it. A lot of the reporting in Europe will be in non-English languages, reflecting the majority of residents’ native tongues, so likely to be less visible than, say, identity theft in the UK, which is as much of a problem as in America.

While I would argue that TOTP apps like Google Authenticator are a bit tech-heavy to explain to average non-technical user, it surely doesn’t require having a security app for each app that you own. Not only does a single instance of Google Authenticator/Authy work with online services from Google, Facebook, Dropbox, Twitter, Instagram, Amazon, Microsoft (and many others), now 1Password supports storing these TOTP codes for you, and can fill them as well as user ID and password for you. (One might argue that using 1Password to do this is putting all of your eggs in one basket, though.)

Google Authenticator’s great weakness is that there is no way to restore the codes, such as when you buy a new phone are restore from backup. Authy does offer a password-secured cloud backup of these codes, though.

A good, though old, article from TidBits about such a scenario (though the info about Apple is out of date): Dancing the Two-Step: Coping with the Loss of a Second Factor - TidBITS

And an articles about getting started with 2FA using an app like Google Authenticator: How to Secure Your Accounts With Better Two-Factor Authentication | WIRED

And there is one other method not already mentioned: using a security key made by a company like Yubikey.

Apple does have a two factor authentication system that handles the security issues that SMS two factor authentication has.

I wonder if it’s possible to open up to third parties. Not a fan of Google’s effort because they take so much effort.

Noted in the article, but it falls back to SMS (or a voice call).

Yes, but Apple’s two factor authentication system isn’t available to other developers. Apple could open it up to them. If they did, then they’d have a secure and simple way of doing two factor authentication.

The fallback to text or voice call does cause security concerns. However, if for some reason you cannot do two factor authentication the secured way, what should the system do? Lock you out entirely? Maybe there could be a more secure way. Facebook allows you to choose five people who can vouch for you.

I was thinking about why Apple doesn’t open their 2FA system up, but my suspicion is that if they let other developers use it, it would be much more likely to be exploited.

Most authentication app systems let you print out emergency codes; Apple could do something similar, although I think they’d probably go for a system that would rely on biometric information stored in the Secure Enclave if they could.

Apple could easily offer an authentication app for Android and Windows that could produce a location alert and code securely and very much like the baked-in versions in iOS and macOS, but perhaps would require launching the app and authenticating it, instead of providing a notification popup.

I just don’t think Apple has a motivation to do so.

A different but important problem with SMS based (or other phone based) 2FA is the fact that some users (as myself) access sites using different SIM cards (& phone#) while they travel. This --in addition to the fact that SMS services may not be reliably available in parts of the world-- practically eliminate 2FA with phone based second factor for most applications. Some banking services in Europe offer a physical “dongle” that generate a time-limited one time code, but physical objects have their own vulnerabilities (stolen/lost) and how many of these items one have to carry? Time for a better solution (IMHO)

A better solution exists: Time-based (not message-based )Google Authenticator codes via an application like Authy. See this article from a few years ago on Tidbits:

I have used Authy for several years, with it installed on my phone, tablet and watch.

Noted in the article! App-based authentication can be effectively tied to a device — its internal tokens can’t just be copied elsewhere and used — so it meets the “something you have” requirement fairly well. I’m a big Authy fan.

The very best solution is U2F (universal two factor), which requires a physical dongles and uses public-key cryptography to identify a user uniquely to a service and to let the user validate that the service requesting a code is the one they signed up for. You first enroll, and the service holds your public key. So the next time you log in, the service sends something that’s signed with your public key. If you don’t get a properly signed message, you know it’s a phishing site, not the real one. A great layer on top of https.

However, in practice, I don’t know when and how it will be widely adopted. Yubikey makes a bunch of these U2F dongles, and they’re supported in macOS via Chrome, as well as more deeply elsewhere. Because it requires a physical connection, it’s a problem with mobile devices, and you have to carry your U2F device (however tiny) around.

My suspicion is that a mobile phone could embed a U2F-like system into Secure Enclave or a similar secure area, and provide generic 2FA validation that’s completely device locked and uses the protocol effectively.

One of the advantages with U2F on services that don’t offer fallback (it’s U2F or a backup one-time code or nothing) is that the password can be super simple—like a 4-digit or 6-digit code. Because there’s no value at all in breaking the password.

The dongle my bank gave me back when I lived in Sweden didn’t require a physical connection at all. It required I insert my debit card and then punch in my passcode as well as a one-time passcode they displayed on their website while I was logging in. The dongle then gave me an answer passcode that I punched into their website. Done. This actually worked even on iPhone Safari, no cable connection whatsoever. It might sound a bit cumbersome and the disadvantage is of course that you need that dongle on you, but I suspect it was top notch in terms of security and it always worked very well for me.