A bad day with mobile 2FA
Credit to Author: Evan Schuman| Date: Mon, 09 Apr 2018 03:00:00 -0700
As a longtime proponent of two-factor authentication (2FA) in a mobile world, I was pained to get hit with two problems using 2FA on Thursday (April 4). But maybe the ability to publicize those two mobile-oriented problems with 2FA will do some good, if sites just pay attention.
The day started with my trying to link to an interesting mobile security story in my social feed (yes, that would shortly prove ironic). The story link wouldn’t work for me, with my browser telling me the site had redirected me too many times. It suggested that I clear out my cookies. That made little sense to me given the immediate problem, but I was overdue for a cookie cleanout anyway, so I gave it a shot.
It didn’t help, of course. I came up with a workaround (I linked to the story’s comments, which worked just fine). Next, I visited various social sites. One of my favorites — a small and little-known site — asked for my login and password. I complied, and it then escalated to 2FA. It didn’t give me any options about the second factor (which is mobile 2FA problem number one) and insisted on texting me a confirmation number.
I waited but nothing arrived. So I asked it to do it again and again. Nothing. That’s when I realized that the site was likely trying to text my landline. And that is mobile 2FA problem number two: If you’re asking for my phone number so that you can text me sometime down the road, tell me that, and I’ll give you my cellphone number. Otherwise, you’ll get the number I most often answer, my landline, and it will do you no good when it’s really needed.
And this is where problem number one bumps up against problem number two: If texting doesn’t work, users need another option, at the very least a support number to call.
But wait, there’s more. I next tried to post to Google Plus. Thoughts of my recent 2FA problem flitted through my head, but I thought to myself, fear not, Google uses an excellent 2FA that doesn’t rely on texting confirmation numbers. It knows that process is far too susceptible to man-in-the-middle attacks. No, for Google, I have a trusty USB fob. And when I tried logging in, it insisted on the fob. But it was just not my 2FA day; when the fob was inserted, nothing happened.
And that’s when I learned that I was giving Google too much credit for being security-conscious. When Google couldn’t see the fob, it just defaulted to a texted confirmation number. (It turned out that a laptop reboot made the invisible USB device visible again.)
Companies need to have a human-managed backup to security so that legitimate users aren’t locked out with no way back in. If you can’t justify a call center, then at least have an email address pop up — and make sure that inbox is watched aggressively.
Also, text messaging is simply too insecure to continue having a role in 2FA. Note to handset manufacturers: How about shipping phones with fobs that can perform physical authenification? USB is not ideal, but if that’s your route, include an adapter if necessary. Phone manufacturers have the means — all on their own — to start enabling users to properly authenticate themselves.
2FA is a great idea, but companies need to think through these issues better. For starters, if you want a mobile phone number, just say so.