Mobile phone security's been busted for years, and now 2-factor auth is busted too

Originally published at:

My usual lecture at our security events: “If you enable two-factor authentication on your accounts, so that the account texts you when someone tries to access it from an unusual location or with the wrong password, it really enhances your security level.”

My new lecture: “You’re all fucked. Just fucked. Build a Faraday cage and don’t connect to anything outside of it. Did I mention fucked?”


Two factor authentication that uses hardware tokens or software end points like Google’s Authenticator are not affected by this. This is purely SMS vulnerability.

Granted, Google’s Authenticator and other software endpoints are only as secure as the OS and installed applications they run on and with, but they are not affected by this vulnerability.


Now I feel better about never letting the bank use texts for anything. My unconsidered paranoia is vindicated!


Proper two-factor isn’t “busted” by this. After all, the password is still secret and encrypted, so this only helps a crook who’s already compromised your password.

The thing this breaks is one-factor SMS authentication, which is the new darling of mobile services. A huge number of sites ostensibly have two-factor, but if you hit the “password reset” button they just text you a code to set a new password.

It’s the new email, but even less secure.

Some things (like Signal) are even less secure than that and basically just consider your phone’s identity to be your identity.


I know a nice contractor from Russia who can build you one of those for cheap.


I know a nice kid from Menlo Park who can build you one of those for cheap.


To hell with that, I’m switching to carrier pigeons to send messages.



From now on, communicate with me by rubbing carbon on sheets of wood fiber, and letting the United States Postal Service bring it to my home.



Of course taping the top to prevent that just makes it suspicious.

1 Like

The headline is the usual clickbait, but you apparently don’t understand what’s going on if you claim it’s not breaking a specific way of 2factAuth.

The point of 2fA is that someone who has your pw needs something you have, i.e. your phone.

Since this is not needed any more, this 2fA fails. It is broken. It does not work as intended. It is dysfunctional. It stopped being secure. It is pushing up the daisies. It is a late security measure. It is a gonner.

Also, Signal, which you singled out for shaming does require a paraphrase. And you can set a time limit it keeps this passphrase in memory. It encrypts even your SMS database locally, just in case someone has your phone.

Just FTR, my bank uses this type of 2fa, and I use Signal’s encryption as an additional local layer. Which is quite useless in case of this specific attack, but protects me if someone tries to get my friggin “mTAN” by just nicking my phone.


I’ve always thought SMS-based 2FA had a funny smell. Even before hearing that SS7 is fucked.

I wonder how hard it is to integrate Google Authenticator into your service. I can understand why they wouldn’t want to rely solely on it but I’d use it everywhere it’s available.

1 Like

My problem is that when Google asks for a code for 2FA, it prompts me for something from Authenticator, but also gives me the option of using:

A text message
Printed recovery codes
An email sent to a non-Google account.

Now, this worked out great when my phone’s screen got broken and I had to activate my new phone without access to the Authenticator app on the old phone (I used the recovery codes)… but I have to say that if SMS is broken, it wouldn’t have been too hard to hijack my account, given just the password.

1 Like

Paypal used to offer a hardware 2FA device that would read out a six digit code on the LCD every time I pressed the button. I thought it was a great idea until I realized that they didn’t require the device or anything other than my plain old password to turn off the requirement to use the device.

This fatal flaw seems ubiquitous in many 2FA schemas today: they can be disabled or worked around without 2FA.

They also have SMS as a backup, which they must, because it’s too easy to lose. A phone can be lost or stolen, or the authenticator app might get corrupted or accidentally deleted. And of course, the SMS backup makes it just as vulnerable as an SMS only solution.

1 Like

This topic was automatically closed after 5 days. New replies are no longer allowed.