SMS based 2FA not secure

F

FIREd_2015

Recycles dryer sheets
Joined
May 18, 2015
Messages
362
Location
NorCal
I've setup SMS based 2FA on many accounts including brokerage, Amazon and others. Recent guidance dated 12/18/2024 from the Cybersecurity and Infrastructure Security Agency (CISA) says "...Do not use SMS as a second factor for authentication. SMS messages are not encrypted—a threat actor with access to a telecommunication provider’s network who intercepts these messages can read them..." The press release says using Authenticator Apps such as Google or Microsoft Authenticator are better but "...While authenticator codes are better than SMS, they are still vulnerable to phishing...Only FIDO authentication is phishing-resistant..."

I wonder how long it will take before financial institutions implement new authentication?

 
Last edited:
Financial institutions are notoriously bad at adopting modern security practices. If you are logging into somewhere that supports it use a yubikey or similar with a passkey, if not use a passkey in icloud or a password manager, if not use app based auth like Google authenticator, and only if they support none of the above use SMS.
 
You left out the words “highly targeted”. Most of the readers of this forum don’t fall into this category. Even if they got your time limited SMS 2FA they would then need to get your password.
 
If you "like" your financial institution, they may be able to use Google voice for SMS 2fa (not a guarantee). I've been able to use Chase, Capital One, American Express, and TD Bank with Google Voice SMS.

Below is a list of "crowd sourced" Google voice compatibility , but certainly SMS is the worst option for 2fa / MFA / 2SV

https://www.reddit.com/r/Googlevoice/comments/1c571kw/crowdsourced_list_of_google_voices_2fa

or

2FA Directory

List of sites with two factor auth support which includes SMS, email, phone calls, hardware, and software.
2fa.directory 2fa.directory
 
Vanguard has recently offered authentication via the Vanguard phone app (on my iPhone). Requires me to get my phone out of my pocket, bring up the app login (I use Lastpass to inject the login/pw), and then verify that it is you requesting access to the PC login. Or I can use SMS which is a bit quicker as I get the 6 digit code on my watch.
 
FYI use can use Symantec VIP OTP at many of the big Financial providers. This can run as an app on your iPhone, or as a standalone token that costs about $25.
 
Al18 said:
FYI use can use Symantec VIP OTP at many of the big Financial providers. This can run as an app on your iPhone, or as a standalone token that costs about $25.
Click to expand...
There's a way to enroll or convert the Symantec VIP secret or seed to a standard TOTP seed (for any universal authenticator app, non-proprietary)

Fidelity recently went from Symantec VIP to standard TOTP for 2fa.

However, ETrade and Schwab still use Symantec VIP. But Etrade does allow for multiple Symantec secrets, so if you have multiple phones, you aren't stuck with a single device for your Symantec authenticator.

https://www.reddit.com/r/personalfinance/comments/hvvuwl/using_google_auth_or_your_totp_app_of_choice_for


Converting Fidelity's Symantec VIP token to TOTP to use with Authy | Random Thoughts From a Random Guy

nexms.com nexms.com
 
You must log in or register to reply here.

Latest posts

Back
Top Bottom