Photo by Fancycrave
Many Web sites and apps now offer two-factor authentication (2FA), which requires you to enter a short numeric code—the so-called second factor—in addition to your username and password. These temporary codes are either sent to you via text message or are generated by an authentication app. In iOS 12 and macOS 10.14 Mojave, Apple has streamlined entering such codes when sent via an SMS text message, reducing multiple steps and keyboard entry to a single tap or click.
I explain just below how this new feature works, but I also want to raise a caution flag. SMS is no longer a reliable way to send a second factor because it’s too easy for even small-time attackers to intercept those messages (see “Facebook Shows Why SMS Isn’t Ideal for Two-Factor Authentication,” 19 February 2018). It’s time for Web sites that use 2FA to move away from SMS.
Passthrough SMS Codes in iOS 12 and Mojave
When you log in to a site with 2FA enabled that offers SMS-based codes, the sequence usually goes like this:
- You complete the standard password-based login and are prompted for a code.
- A text message with a code, typically six digits long, arrives in Messages.
- If you use notifications to show incoming texts and you’re fast enough, you enter the code as you see it into the Web form and submit it. Otherwise, you switch to Messages, either memorize the code or select and copy it, and return to the site to enter it. (In iOS, you can’t easily select part of a message, making that additionally frustrating.)
- Submit the form to login.
In iOS 12, Safari, Messages, and the QuickType bar above the keyboard work together, in a process that looks like this:
- Enter your username and password as in step 1 above.
- Tap in the second factor field.
- When the text message arrives, iOS 12 extracts the code and displays it in the QuickType bar. Tap it to enter the code in the field.
- Submit the form to log in.
Here’s a quick video demonstration.
Mojave works almost identically. Instead of the QuickType bar in step 3 above, however, the autofill entry appears below the code field when you click in the field. It’s labeled From Messages and reads Fill Code followed by the short code. Click it to enter it in the field.
Annoyingly, I found that Mojave listed all previous codes texted—in this case, for my Twitter login—and I had to scroll way down in the dropdown list to find the From Messages item. Selecting that item also proved difficult unless I clicked it and then quickly clicked away from the form field. Otherwise, macOS interpreted pointer movement that hovered over the dropdown list as scrolling and selection! Apple needs to refine this user experience and flush previous entries.
These shortcuts shave a few seconds and a little aggravation off the process, so they’re not a major productivity win, but they do make 2FA less of a roadblock for more people. By reducing friction and making it a simple workflow that feels nearly the same as entering a password from the iCloud Keychain, Apple hopes to encourage more of its customers to enable 2FA at more sites.
Unfortunately, there’s a cloud hanging over Apple’s optimism: SMS-based codes aren’t a reliable security method and should have been eliminated over the last few years.
It’s Easy to Hijack SMS Codes
You have probably seen headlines along the lines of, “Cryptocoin investor has entire holdings stolen with account hack!” Such thefts start with an attacker gaining control of a phone number. This is unfortunately surprisingly easy. Mobile phone numbers are portable, which means they can be easily moved from one physical phone to another, and even transferred among carriers. The basic approach works like this:
Step 1: Obtain personal information. “Background check” sites and stolen information floating around the Internet make it trivial to obtain someone’s phone number, Social Security number, bank account number, and other personally identifying details.
Step 2: Hijack a phone number. To take over a phone number, the attacker then generally uses social engineering, another term for scamming someone with words. They call a phone carrier and explain how they need the number transferred, provide the identity information required to verify themselves, and give the technical details for the new receiving phone.
Although major carriers have started letting customers set an additional PIN for account changes, news stories have revealed that hackers have sometimes managed to talk their way around not having the PIN. And since that additional PIN isn’t required, it’s unclear how many subscribers use one.
(Some hijackers have also shown they can insert themselves into the public switched telephone network to sniff information or hijack a phone number. If a lone attacker can do that, governments obviously can as well.)
Step 3: Take over an account with a password reset. Once the attacker can receive text messages for someone’s hijacked number, they can visit a site at which they expect someone has an account and take it over. Many sites that offer 2FA also allow password resets via SMS, making the assumption that physical possession of a phone is sufficient security.
For instance, it’s common to see text like this on a password reset page:
If you don’t have access to the email address on file for your account and need to reset your password, you can use your verified phone number to update the email address that receives the password reset email.
At many sites, the attacker would also need to know the original email address, which is trivial for someone who has hijacked a phone number.
Thus, an attacker requests an email address change and receives a link via SMS to complete it. On that page, they provide the new, illegitimate address, and verify its receipt to finish associating the account with the new email address. Then they can complete a password change, which sends a link via email to the new address, and with the new password set, they can log in—using the SMS code for 2FA.
Each of these steps is benign, but it all adds up to effectively requiring just one credential—the phone number—instead of two.
With full access to an account, the attacker can drain cryptocurrency, send out email, and carry out other financially or reputationally damaging attacks.
It’s Time to Stop Using SMS for 2FA
Sites originally chose to use SMS-based code validation for 2FA to lower the barriers to 2FA—more people understand SMS than authentication apps. And, regardless of the vulnerabilities of SMS, it’s far better to use a second factor than not, because it deters wholesale attacks against accounts. Even if an attacker gained access to all the decrypted passwords for a service, every account with 2FA enabled would still be able to resist unauthorized logins. But SMS-based 2FA is vulnerable to targeted attacks and identity theft.
Apple’s proprietary 2FA system for macOS and iOS remains extremely robust, but it still allows the use of SMS and voice calls as a backup when trusted devices aren’t available. Many other systems rely on authentication apps that generate time-based one-time passwords (TOTPs), including 1Password, Authy, Google Authenticator, and LastPass, among others. When you use this app-based approach, a service typically also issues you emergency one-time use backup codes that are static—they don’t expire over time, like TOTPs.
Despite Facebook’s routine hiding of new policies that are invasive of people’s privacy and personal information, the company does allow you to use 2FA without a phone number. (This is more significant now that researchers have discovered Facebook has been exploiting people’s 2FA-associated phone numbers for marketing purposes.) Google doesn’t make this fact explicit, but after setting up 2FA, you can remove phone numbers, too, and rely on a combination of other second factors.
While it’s admirable Apple has streamlined SMS code entry, it would be even more so if the company would kickstart the move away from SMS. Such a move doesn’t have to be forced: it could begin with Apple and others providing education and offering a switch to disable SMS codes as backups. It’s inevitable that we’ll have to stop using SMS-based 2FA codes, and it would be better to work toward that before a wide-scale hack makes it a crisis.
If you’d like to learn more about managing security features in iOS 12, as well as understanding and configuring networking and privacy, check out my new book, “A Practical Guide to Networking, Privacy, and Security in iOS 12.” TidBITS readers get 25% off with the coupon code TIDBITS.