Slides for my BSidesDFW talk are online: "SMS OTP is Not Secure Two-Factor Authentication! Now what?"
The conference was held November 5, 2016 at SMU Plano.
The slides and resources pages can be found here.
It's no secret that that sending one-time-pad codes via SMS are not a secure mean two-factor authentication. But they're oh-so-easy to implement. What's the blue team to do?
In May of this year (2016) NIST published the document “Draft Special Publication 800-63-3: Digital Authentication Guideline”. Among the many changes to the digital-authentication guidelines was the long-overdue decision to deprecate short-message service, one-time pads (SMS OTP).
Rather than running with the provisional NIST guidance and pushing for reform, many security practitioners responded than embracing the guidelines continued supporting SMS OTP, even if half-heartedly, by noting “it’s better than nothing.”
When pushed on the question of SMS security, some suggested “use a burner phone number”. Others downplayed the risk by arguing SMS-interception attacks are rare and difficult to execute.
The chief reason for this support are the competing needs of improved security and end-user convenience. Mobile devices are ubiquitous and SMS available on most. It seems like an easy win.
In this talk we'll look at the attack scenarios against SMS OTP and consider credible, easy-to-implement mobile alternatives.