No Two Factor Code Texting

A tweet this week from Oklahoma’s law practice advisor, Jim Calloway, caught my attention.  The National Institute of Standards and Technology is recommending that two-factor authentication no longer rely on text messages to transmit the second factor.

Two factor authentication is what you use for your bank account ATM.  The first factor is your ATM debit card and the second factor is your PIN.  Only with both pieces can you access your account.  Two factor authentication on Web sites is useful because it can reduce the likelihood that someone who guesses or gets a hold of your password can access a site.

snip_20160814140908

The password is just the first factor.  You use a code for the second factor.  In many cases, the only way to get that code is to have it sent to you as a text message.  If you look at twofactorauth.org, you can see which sites support two factor and how they can send you your second factor, the code.

If you can’t use SMS or text messaging, how else can you get your codes?  The codes are time-sensitive so you can use an app on your phone or tablet that will generate the proper code.  These authenticator apps are readily available and support many sites.  I have tried both Microsoft’s regular authenticator called Microsoft Account and their recently rebranded Microsoft Authenticator, f/k/a Azure one (the Azure one was better) as well as the Google authenticator.  Both support services other than their own corporate services.

Jim (as always) has a good point, though.  SMS is popular because it is easy.  And NIST’s proposal is still a draft.  Even if you go to an authenticator app, you still have to consider that anyone who has your phone or tablet may also now be able to generate your codes.

I prefer the apps over the SMS anyway.  For one thing, I am often using a computer where text messaging service is spotty.  It’s not use getting a text sent when I can’t see it.  One way to avoid this – which I don’t recommend – is to tell the site you’re visiting NOT to ask for a code the next time.  Yes, it saves a bit of time.  But the whole point of making the login authentication stronger is to use both factors.  How would you feel if your bank ATM remembered your PIN each time you used a particular machine?

DON'T check the box.  Type a code each time you access.

DON’T check the box. Type a code each time you access.

Another reason I like having the app is that I know, with some degree of confidence, that I can control where the phone is.  First, my phone is encrypted and can only be accessed with a password.  This is the baseline you should use if you use an authenticator app or a password manager on your phone.  When I have my phone with me, which now is nearly always, I can have physical control over that access.

It’s probably worth considering also securing these apps behind a second, in-operating system password.  You might use something like the now renamed Google for Work (f/k/a Divide).  This segments your phone into work and personal workspaces, so you can have easy access to Facebook and games but secure more important apps.  App lockers like Hexlock will do the same thing even without the work aspect.  Even if someone gets a hold of your phone while it’s unlocked and decrypted, a password-protected app locker will slow them down.  If you lose your phone, you can always log in to your two-factor services and deactivate the current authenticator and reactivate on a different device (including on Windows).

I shouldn’t really cheer for NIST’s change and the deprecation of text messaging for two-factor authentication.  It doesn’t impact me at all.  But I can certainly understand why it may be better to have the code-generation happen on your device rather than sent as a communication that you can’t trace.