Google Is Replacing SMS Codes with Mobile Prompts in 2SV Overhaul

Introduce yourself to us and other members here, or share your own product reviews, suggestions, and tips and tricks of using QNAP products.
Post Reply
User avatar
Moogle Stiltzkin
Guru
Posts: 11448
Joined: Thu Dec 04, 2008 12:21 am
Location: Around the world....
Contact:
Contact Moogle Stiltzkin

Google Is Replacing SMS Codes with Mobile Prompts in 2SV Overhaul

Post by Moogle Stiltzkin »

Google Is Replacing SMS Codes with Mobile Prompts in 2SV Overhaul
Google wants you to upgrade to a better form of two-factor authentication: invitations will be going out next week for a prompt-based 2SV system that will replace the current SMS-based variety. The company believes that the new method is far more secure, being that it runs through Google Play Services and cannot be intercepted: in order to defeat this security, someone would have to steal your phone that is registered to accept 2FA prompts from Google.
Image
Starting next week, 2-SV SMS users will see an invitation to try Google prompts when they sign in. The invitation will give users a way to preview the new Google prompts sign in flow instead of SMS, and, afterward, choose whether to keep it enabled or opt-out. Overall, this is being done because SMS text message verifications and one-time codes are more susceptible to phishing attempts by attackers. By relying on account authentication instead of SMS, administrators can be sure that their mobile policies will be enforced on the device and authentication is happening through an encrypted connection.

https://www.hardocp.com/news/2017/07/15 ... v_overhaul
just a recap of what google 2 step verification is like
[youtube=]XtBiH-srAow[/youtube]


As for why google are doing this refer to this
Standards body warned SMS 2FA is insecure and nobody listened

Duo Security says NIST's advice to deprecate out-of-band passwords has been ignored
By Darren Pauli 6 Dec 2016

The US National Institute of Standards and Technology's (NIST) advice that SMS is a poor way to deliver two factor authentication is having little impact, according to Duo Security.

Last July NIST declared that sending one-time passwords to mobile phones was insecure.

The organisation wrote in its advisory that the likelihood of interception makes TXT unreliable.

"Due to the risk that SMS messages or voice calls may be intercepted or redirected, implementers of new systems should carefully consider alternative authenticators," NIST wrote at the time.

"Out-of-band authentication using [SMS or voice] is deprecated, and is being considered for removal in future editions of this guideline."

NIST stated organisations using SMS for two factor authentication must verify that the supplied number is not associated with a voice-over-IP service.

But scores of organisations use SMS for verification. Google offers it as a fall-back service in place of secure mechanism like its Authenticator app and hardware dongles, as do Twitter, Facebook, and scores more.

Duo Security's Mayank Saha says the statement has had virtually no impact some six months after its announcement according statistics about the use of SMS among its clients.

The firm's customers include NASA, Facebook, Toyota, and Etsy, plus organisations in the government, health, and education sectors.

"Prior to the declaration, we were seeing roughly six to eight percent of two factor traffic in use with our service via the SMS method … after the announcement was made we’ve seen a similar percentage," Saha says.

"There is a notable lack of significant change to the rate of decline after the release of the revised NIST guidelines."

Saha says SMS has this year slowly fallen out of favour with clients but that the NIST advice did nothing to accelerate that rate.

He says push-based authentication which NIST recommends and Google deployed in June is more user friendly and secure than SMS, as are U2F dongles which require users to insert USB sticks into logging in devices. Google also uses the latter login mechanism and plugged it in a recent study Security Keys: Practical Cryptographic Second Factors for the Modern Web [PDF].

SMS authentication is the most universal and arguably useable method of two factor login, primarily because it requires only a phone bearing the right SIM card.

It is easy to subvert, however; attackers with basic target information can easily trick phone companies into porting numbers after passing identity checks. This has been used by fraudsters to ensure banks' transfer warning SMS never reach victims.

The NIST guidance comes some four years after Australia's private sector Communications Alliance lobby group ruled SMS as unsafe for two factor authentication.
https://www.theregister.co.uk/2016/12/0 ... d_warning/

to my understanding, the google authenticator generates the code on the app already installed on your smartphone, and is synced with your device. This then avoids the sms issue, since the code generated is from your smartphone only. So i guess this sms replacement, is for their fallback options which shouldn't be used to begin with :)


PS: qnap uses google authenticator 2 step, which is good :wink:
NAS
[Main Server] QNAP TS-877 (QTS) w. 4tb [ 3x HGST Deskstar NAS & 1x WD RED NAS ] EXT4 Raid5 & 2 x m.2 SATA Samsung 850 Evo raid1 +16gb ddr4 Crucial+ QWA-AC2600 wireless+QXP PCIE
[Backup] QNAP TS-653A (Truenas Core) w. 4x 2TB Samsung F3 (HD203WI) RaidZ1 ZFS + 8gb ddr3 Crucial
[^] QNAP TL-D400S 2x 4TB WD Red Nas (WD40EFRX) 2x 4TB Seagate Ironwolf, Raid5
[^] QNAP TS-509 Pro w. 4x 1TB WD RE3 (WD1002FBYS) EXT4 Raid5
[^] QNAP TS-253D (Truenas Scale)
[Mobile NAS] TBS-453DX w. 2x Crucial MX500 500gb EXT4 raid1

Network
Qotom Pfsense|100mbps FTTH | Win11, Ryzen 5600X Desktop (1x2tb Crucial P50 Plus M.2 SSD, 1x 8tb seagate Ironwolf,1x 4tb HGST Ultrastar 7K4000)

Resources
[Review] Moogle's QNAP experience
[Review] Moogle's TS-877 review
https://www.patreon.com/mooglestiltzkin
Top
Post Reply

Return to “Users' Corner”