SMS-based 2-factor: Good or Bad?

Wired published recently an article about how SMS-based 2-factor authentication is not good. This article is making a buzz, and an article appeared on that topic in Fortune. The basis for these articles is that SMS-based authentication is not associated to something you have (your phone), but with something you are loosely associated to (your phone number).

The article demonstrates how easy it is to hijack’s someone’s phone number. And of course, once this is done, you can get the authentication SMS and get in. The article points to a solution that really makes your phone a second factor, such as the Google Authenticator application. It generates a one-time password every 30 seconds, without depending on any communication: you simply need to run the app.

But SMS-based second factor isn’t that bad, and it is definitely better than nothing, and Wired fails to tell us why:

  • In the case of a big leak of a few million passwords, any second factor works to protect you against the robots who will check that the password is working before putting it for sale.
  • However, it doesn’t protect you well from that guy who is chasing YOU. In that case, the SMS is definitely easier to hack than other methods that require physical access.

Unless you are famous or you are being unfriendly to hackers, it is quite unlikely that you will be targeted personally by a hacker (at least these days, this may change in a few years…).

So,if you are using SMS-based 2-factor authentication, you may think about other methods if they are available (Fido is great). But if you don’t use 2-factor authentication at all, please start by using this SMS thing, it will protect you at least against the major leaks that we are seeing these days.

Wondering which services you can protect with 2-factor authentication? Check this page and realize that most of the sites you use can be protected.

Java Card software attacks

There have been two papers at SSTIC’16 that outline the limits of bytecode verification in the context of Java Card. One of the papers, by Guillaume Bouffard and Julien Lancia, describes a bug found in Oracle’s bytecode verifier through fuzzing (yes, it’s been fixed). The second one, by Jean Dubreuil, outlines several logical and combined […]

Beyond Java Card

When Java Card was created, the market for smart cards was quite simple: chip vendors would design specific chips, chip vendors would develop an operating system for the chips and produce cards embedding the chip. Since then, this market has become much more complicated. For traditional payment and ID, changes are minimal, as card vendors […]

Java Card LinkedIn stats

I was looking for updated statistics on Java Card, so I turned to LinkedIn to look at the Java Card skill. The information available is declining a bit (for instance, there is no trend or relationship to age any more, or at least I couldn’t find it). Yet, it reveals interesting information. Over 3000 people […]

Inside Java Card: From APDUs to CAP File and Interoperability

As promised in the previous post, here are a few Java Card stories. Over the almost 20 years of Java Card history, many design decisions have been taken on the product: some successful, some less successful. Here are a few stories of these discussions/decisions. API vs. APDU Before Java Card, a smart card specification consisted […]

Java Card, a farewell

My Oracle story has ended, and with it my Java Card story, at least for now. I started working on the technology in February 1997, and I have never been very far from the technology for almost 20 years. However, Java Card is not in the scope of my next job, as I will focus […]

Fiction (maybe): Who will refuse to break a secure element?

Apple is refusing to break an iPhone for the FBI. I believe that they are right to do so, but also that this position isn’t that easy to stand for everybody. So, here is a little fiction (well, I think it is fiction) about this. The iPhone is a secure device, so the best way […]

Fashion statement

I am just out of the Cartes show. A bit depressing, mostly because of the current circumstances and the number of “Absent exhibitors”. However, there werea few interesting highlights. One of them came in the Wearable and IoT conference track, in a presentation from Oberthur’s Olga Titova Candel about Wearable Payments for Fashion. The main […]

About PIN, the iPhone is about 20 years behind smart cards

I was astonished when I read this article on breaking the iPhone PIN. Some guy has built a device that can guess your iPhone PIN, and he is using a very old trick that was performed on cards years ago. Of course, the exercise is pointless; as noted in the original article, Apple can (will) […]

Did Apple just boost mobile security?

I have been working on mobile security for many years, and things haven’t moved much: justifying mobile security is always painful. Whyshould Ispend more money? There aren’t that many attacks! Some business use cases seemed like a good justification, but the economics are unclear and remain in the order of “if youget hacked, it could […]