An Important Misconception about Two-Factor Authentication

The adoption of two-factor authentication (2FA) could not be more important. Something-you-know secrets have proven ineffective time and again, be it through password guessing or cracking, password sharing, password reuse, flaws in password resets, and even just forgetting the many passwords we now have to remember. Combining passwords (something you know) with something you have dramatically improves security and reduces the risk of an account compromise. But is the way many applications implement 2FA really true 2FA?

In my personal observation, the fastest growing type of 2FA implementation leverages SMS or voice calls to a user's cell phone. The premise being, a cell phone is something- you-have, and only you have. Therefore, by issuing an out-of-band token over SMS or voice call, it is presumed that only the registered user with possession of that device can authenticate. This is, however, misguided and simply not the case. In fact, this approach is not 2FA at all.

On its face, this is nothing more than a second exchange of something-you-know; the first something you know being the password, and the second something you know being a token recently transmitted to you out-of-band. This is evident in the fact that SMS is not a secure protocol. These messages are easy to intercept over the air[1], with malware [2][3][4], trivial to intercept by engineers at writing the code or monitoring the systems that transfer these messages, and obtainable by law enforcement with (sometimes without[5]) a warrant. In other words, an SMS-based token is something you know, and in fact something many other people might know.

Semantics aside, even if one should acquiesce to the position that SMS/voice has a reasonable guarantee of only ever reaching the true user's phone, believing that this represents something you have is still sorely misguided. The something you have leveraged in this case is not a cell phone, but a cell phone number --a very different concept. A phone number is not something you have and is far easier to steal than a physical device. In many cases, corporate or family cell phone accounts can circumvent this, taking control of a cell phone number of another individual with a trivial reassignment of that number to a new phone. Social engineers can likewise reassign numbers by calling the provider and convincing them that they are you, proving that they are you by, you guessed it, demonstrating nothing more than something-you-know; a few bits of PII that aren't all that difficult to come by.

Still, SMS/voice-based faux-2FA is a massive improvement over not having the option. There are a myriad of weaker attacks that this approach does mitigate. The decision to use such an implementation, however, must be fully understood by the engineers and decision makers weighing their threat model against how they choose to design their platform.

All is not lost though, a cell phone can be a something-you-have token entirely valid in the 2FA paradigm. There are a handful of downloadable apps that can integrate with web applications for providing true 2FA. These rely on a combination of cryptographic algorithms, trust-on-first-use, and a stored secret token of some kind on the phone, not accessible by any other phone through a transfer of some kind at the phone company, and not obtainable through an interception of an out-of-band channel. The only option then to compromise the second factor is to A) find weaknesses in the cryptography, or B) obtain or gain access to the user's cell phone --both very difficult to achieve tasks, far more difficult than obtaining a phone number.


  1. 4 Things You Must Know About Those Rogue Cellphone Towers
  2. Android malware intercepts SMS messages to steal mobile banking codes
  3. Perkele Android Malware Kit
  4. Malware Now Disconnects Phone Calls
  5. How the Government Can Get Your Digital Data

Additional Information

Readers interested in further details about this topic can reach us at: