Some services, most notably Apple and Google, can send a prompt to your phone during a login attempt. After all, the proper credentials were supplied. It also logs itself in at the same time and can act as if it were you without the service you're using, knowing the difference. It's possible to build a phishing website that looks and acts just like the real thing, and even passes along the credentials you supply, like your password and the TOTP generated by an authenticator app, to log in to the real service. For example, security researchers have shown that it is possible to intercept and manipulate the data you're sending when you enter the TOTP on a website, but it's not easy. Since they work offline, TOTP style 2FA isn't subject to the same problems that using SMS is, but it's not without its own set of flaws. A website or service uses the same algorithm to make sure the code is correct.Īuthenticator apps are better than SMS for 2FA, but they are not foolproof. They work using what's called Time-Based One Time Passwords (TOTP) that an application on your phone can generate using a complex algorithm without any network connection. Authenticator appsĪuthentication apps like Google Authenticator or Authy offer a significant improvement over SMS-based 2FA. So maybe fixing how email is used as a backbone for this sort of thing is what comes next. It's just not very secure, and everyone in the industry knows it. Email is really the only way any account recovery process can work, and plenty of places like your bank will want to send you a code via email to log in from a new device. So if someone really wanted to get access to your bank account or order a bunch of stuff from Amazon using your credit card all they need to do is convince someone at your carrier that they're you, you lost your phone, and you need your number moved to a new SIM card that they happen to be holding.Īll of this goes for email-based authentication, too. And when messages reach the correct number, there is no notification from the recipient as to whether the message was read or even received."Ī bigger problem is that carriers can ( and have been) tricked into authorizing a new SIM card using the phone number of someone else. Moreover, SMS messages can be sent to the wrong number. " SMS text messages, sent and stored on servers in plain text, can be intercepted during transit. Nathan Collier, a senior malware intelligence analyst at Malwarebytes, describes SMS like this: SMS was never designed to be a secure means of communication. Ease of use and convenience are great things, but nothing else about SMS is good.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |