March 17, 2019

Phone numbers stink for security and authentication. They stink because most of us have so much invested in these digits that they’ve become de facto identities. At the same time, when you lose control over a phone number — maybe it’s hijacked by fraudsters, you got separated or divorced, or you were way late on your phone bill payments — whoever inherits that number can then be you in a lot of places online.

How exactly did we get to the point where a single, semi-public and occasionally transient data point like a phone number can unlock access to such a large part of our online experience? KrebsOnSecurity spoke about this at length with Allison Nixon, director of security research at New York City-based cyber intelligence firm Flashpoint.

Nixon said much of her perspective on mobile identity is colored by the lens of her work, which has her identifying some of the biggest criminals involved in hijacking phone numbers via SIM swapping attacks. Illegal SIM swaps allow fraudsters to hijack a target’s phone’s number and use it to steal financial data, passwords, cryptocurrencies and other items of value from victims.

Nixon said countless companies have essentially built their customer authentication around the phone number, and that a great many sites still let users reset their passwords with nothing more than a one-time code texted to a phone number on the account. In this attack, the fraudster doesn’t need to know the victim’s password to hijack the account: He just needs to have access to the target’s mobile phone number.

“As a consumer, I’m forced to use my phone number as an identity document, because sometimes that’s the only way to do business with a site online,” Nixon said. “But from that site’s side, when they see a password reset come in via that phone number, they have no way to know if that’s me. And there’s nothing anyone can do to stop it except to stop using phone numbers as identity documents.”

Beyond SIM-swapping attacks, there are a number of ways that phone numbers can get transferred to new owners, Nixon said. The biggest reason is lack of payment for past phone bills. But maybe someone goes through a nasty divorce or separation, and can no longer access their phone or phone accounts. The account is sent to collections and closed, and the phone number gets released back into the general pool for reassignment after a period of time.

Many major providers still let people reset their passwords with just a text message. Last week I went to regain access to a Yahoo account I hadn’t used in almost five years. Yahoo’s forgot password feature let me enter a phone number, and after entering a code sent to my phone I was able to read my email.

So, if that Yahoo account is tied to a mobile number that you can receive text messages at, then you can assume control over the account. And every other account associated with that Yahoo account. Even if that phone number no longer belongs to the person who originally established the email account.

This is exactly what happened recently to a reader who shared this account:

A while ago I bought a new phone number. I went on Yahoo! mail and typed in the phone number in the login. It asked me if I wanted to receive an SMS to gain access. I said yes, and it sent me a verification key or access code via SMS. I typed the code I received. I was surprised that I didn’t access my own email, but the email I accessed was actually the email of the previous owner of my new number.

Yahoo! didn’t even ask me to type the email address, or the first and last name. It simply sent me the SMS, I typed the code I received, and without asking me to type an email or first and last name, it gave me access to the email of my number’s PREVIOUS OWNER. Didn’t ask for credentials or email address. This seriously needs to be revised. At minimum Yahoo! should ask me to type the email address or the first and last name before sending me an SMS which contains an access code.

Brian Krebs (BK): You have your own experiences like this. Or sort of. You tell.

Allison Nixon (AN): Any threat intelligence company will have some kind of business function that requires purchasing burner phones fairly frequently, which involves getting new phone numbers. When you get new numbers, they are recycled from previous owners because there probably aren’t any new ones anymore. I get a lot of various text messages for password resets. One I kept getting was texts from this guy’s bank. Every time he got a deposit, I would get a text saying how much was deposited and some basic information about the account.

I approached the bank because I was concerned that maybe this random person would be endangered by the security research we were going to be doing with this new number. I asked them to take him off the number, but they said there wasn’t anything they could do about it.

One time I accidentally hijacked a random person’s account. I was trying to get my own account back at an online service provider, and I put a burner phone number into the site, went through the SMS password reset process, got the link and it said ‘Welcome Back’ to some username I didn’t know. Then I clicked okay and was suddenly reading the private messages of the account.

I realized I’d hijacked the account of the previous owner of the phone. It was unintentional, but also very clear that there was no technical reason I couldn’t hijack even more accounts associated with this number. This is a problem affecting a ton of service providers. This could have happened at many, many other web sites.

BK: We weren’t always so tied to our phone numbers, right? What happened?

AN: The whole concept of a phone number goes back over a hundred years. The operator would punch in a number you know was associated with your friend and you could call that person and talk to them. Back then, a phone wasn’t tied any one person’s identity, and possession of that phone number never proved that person’s identity.

But these days, phone numbers are tied to peoples’ identities, even though we’re recycling them and this recycling is a fundamental part of how the phone system works. Despite the fact that phone number recycling has always existed, we still have all these Internet companies who’ve decided they’re going to accept the phone number as an identity document and that’s terrible.

BK: How does the phone number compare to more traditional, physical identity documents?

AN: Take the traditional concept of identity documents — where you have to physically show up and present ID at some type of business or office, and then from there they would look up your account and you can conduct a transaction. Online, it’s totally different and you can’t physically show your ID and can’t show your face.

In the Internet ecosystem, there are different companies and services that sell things online who have settled on various factors that are considered a good enough proxy for an identity document. You supply a username, password, and sometimes you provide your email address or phone number. Often times when you set up your account you have some kind of agreed-upon way of proofing that over time. Based on that pre-established protocol, the user can log in and do transactions.

It’s not a good system and the way the whole thing works just enables fraud. When you’re bottlenecked into physically showing up in a place, there’s only so much fraud you can do. A lot of attacks against phone companies are not attacking the inherent value of a phone number, but its use as an identity document.

BK: You said phone number recycling is a fundamental part of how the phone system works. Talk more about that, how common that is.

AN: You could be divorced, or thrown into sudden poverty after losing a job. But that number can be given away, and if it goes to someone else you don’t get it back. There all kinds of life situations where a phone number is not a good identifier.

Maybe part of the reason the whole phone number recycling issue doesn’t get much attention is people who can’t pay their bills probably don’t have a lot of money to steal anyways, but it’s pretty terrible that this situation can be abused to kick people when they’re down. I don’t think a lot of money can be stolen in this way, but I do think the fact that this happens really can undermine the entire system.

BK: It seems to me that it would be a good thing if more online merchants made it easier to log in to their sites without using passwords, but instead with an app that just asks hey was that you just now trying to log in? Yes? Okay. Boom, you’re logged in. Seems like this kind of “push” login can leverage the user’s smart phone while not relying on the number — or passwords, for that matter.

If phone numbers are bad, what should we look to as more reliable and resilient identifiers?

AN: That’s something I’ve been thinking a lot about lately. It seems like all of the other options are either bad or really controversial. On the one hand, I want my bank to know who I am, and I want to expose my email and phone number to them so they can verify it’s me and know how to get in touch with me if needed. But if I’m setting up an email account, I don’t want to have to give them all of my information. I’m not attached to any one alternative idea, I just don’t like what we’re doing now.

For more on what you can do to reduce your dependence on mobile phone numbers, check out the “What Can You Do?” section of Hanging Up on Mobile in the Name of Security.

Update, March 18, 1:25 p.m. ET: On March 14, Google published instructions describing how to disable SMS or voice in 2-step verification on G Suite accounts.


86 thoughts on “Why Phone Numbers Stink As Identity Proof

  1. Sam Penrose

    I am a software developer on his second round of attempting to provide an identity service to app users in emerging markets (read: people who use under-powered, under-secured Android phones). It would be great to hear from experts such as Nixon how best to *provide* authentication services to those people; they are a large fraction of the world’s population, and they aren’t purchasing Ubikeys.

    1. Louis Leahy

      Hi Sam, we think we have the answer to how authentication can occur independent of the user device with 2fa. We are trying to raise some funds to build it because we cant get support from Government or Industry more details are on our site see https://armorlog.com/help-us thanks.

      1. Rob Shein

        Hm…it doesn’t seem that a password vault (what you are stumping for other people to fund as a project) is the solution. Those already exist, and actually are one of the bigger challenges of this problem, instead of the solution.

        Sam’s question is not where to store passwords; it is a question of multi-factor authentication in addition to passwords, and the absence of alternatives to an approach which assumes your phone number is strongly tied to your identity. Duo and Yubikey (among others) are options that work well in industrialized nations, but both have major challenges in developing nations. The solution most certainly is not YAPV (Yet Another Password Vault).

    2. Dennis

      I’m a software developer as well. A very cheap solution for a secure user authentication is to use time-based one time tokens that can be generated with a free app such as Authy or Google Authenticator. It does not require the use of SMS (which is horribly insecure) and is very easy to implement on the server/app side. So research that. There’s a plenty of solutions on GitHub. So search for “TOTP – Time-based one-time password” implementation specific for your programming language.

      1. Tim

        Dennis,

        The problem I see with these options is how you provision a new device for use with them (e.g. you buy a new phone). You have to fall back to the same old methods, do you not?

        Thanks,

        Tim

    3. Gary

      You can download freeotp. It is a redhat product.

      https://freeotp.github.io

      If you run Linux, there is a simple command line program that you can run to gain some confidence on how this scheme works. The commands line program escape me since I haven’t experimented with this in a while. But the basic idea was once you generate the key, you can verify that both the app and Linux are in sync. Presumably you could work the program into a script, but really what you want to do is is use the same library as the command line program.

      It is suggested you enable the system to use either the current or previous code since some people are slow with the cut and paste.

      Steve Gibson’s scheme as mentioned above is nearly ready. I give the guy credit since he put off working on his only paying product to develop squirrel. Probably close to two years.

    4. Allison Nixon

      Hey its me from the article. I’m sorry to say that I don’t have a good answer for you. Every online ID option out there is a hack made by tech bros with no clue about social issues, and thus can’t accommodate people that aren’t western and employed. If you have to serve a whole population, you have to deal with language barriers, lack of tech skill, lack of intelligence, housing, money. You also have to accommodate social problems like homelessness, abuse, divorce, crime. Emerging markets also have to cope with electricity cuts, but everything else about this applies to developed Western countries too.

      Gov issued photo ID has been the gold standard for a long time, because it’s hard to fake, easy to use, and you can be reasonably sure the entire population has one because adoption is mandatory. It’s illegal to possess a fake ID. But there’s no way for me to give my gov issued photo ID to a website in a manner that can’t be faked.

      It also can’t be tied to a proprietary ecosystem, and needs to have physical locations where people can establish their identities for the first time as well as address fraud. LE support needs to be there too.

      Private sector is poor at all of these things and you won’t have a good answer to your question until the government picks up the slack. I’d love to be proven wrong, but I’m still waiting.

      1. Christoph

        Allison, there are actually ways to present your government ID to a website. It´s just that they are very cumbersome, require extra hardware on the user side and suffer from the typical chicken and egg problem.

        In Germany, the national ID card (“Personalausweis”) has an eID function. It can work with a contactless reader that is totally unsecured up to one that is highly conmtained with secure display and PIN pad but who has a contactless reader attached to their PC? And the software suite to go with it was big and clumsy, used to require old and flawed browser versions. Add to that the lack of services (be it eGovernment or industry) and you had the proverbial dead horse.

        I believe some scandinavian countried and soe of the baltic states have better eGovernment solutions but no first-hand experience on my part.

        1. squeeze

          There are many countries, including developed ones, that have no mandatory government ID, certainly nothing uniform that could be used online either by the state itself or third parties.

          As Allison said, there is no known effective, universal system, not even at government level.

          1. Christoph

            Nobody talked about a mandatory government ID, just the availabilty.

            But if you want to use a secure form of ID, you should be able to get it from your government, mandatory or optional, if it was to meet the most stringent KYC requirements and level of trust.

  2. tz

    Steve Gibson created SQRL for authentication.
    He wanted it perfect instead of quick.

    @SP above – an audio device that would respond to a challenge using some kind of FSK – with a small secure enclave type key for the signature. An attacker would need both the phone and device (and you can add a passcode or some other “what you know” factor in case both are stolen).

  3. Larry

    This has bothered me for a long time. My solution was to get a Google Voice number and use that as my “official” number. Not perfect, but at least it’s a number I can control.

    1. Ethan Stone

      I put all sensitive accounts onto a Google voice account (and separate dedicated Google account for e-mails) with Advanced Protection enabled (Yubikey required to login and account recovery is cumbersome). The Google voice account forwards to a dedicated feature phone from a carrier with no stores and a number I’ve never given to anyone other than Google. It’s not NSA-proof, but it is secure against garden variety fraud. Much as I would like to think I’m important enough to be targeted, I’m not. So it’s enough to be high hanging fruit.

    2. Tim

      Larry,

      Issue with Google voice is that it’s accessible via e-mail. So, if someone cracks your e-mail, they’ve got your voice account. So, then you secure your e-mail by MFA to, typically, your cell phone. The whole thing gets very circular.

      Cheers,

      Tim

      1. Larry

        I use Google Authenticator, but the fallback is still SMS. There is no perfect solution.

        For another article when Brian gets around to it, medical records systems tend to use birth date and last name, with other publically available PII for backup. But I created an account with an Epic EMR personal portal with just my name, birthdate, address and PHONE NUMBER.

      2. Dave

        There are several ways to mitigate the problems you described. First, get a new Google Voice account that you ONLY use for two factor authentication, not email or anything else. To avoid the number recycling issue described in the article, select a newish area code. Not all new area codes are available for GV, but some are. Then secure your account with a Yubikey only. You will need to remove your cell phone number from your account after initial verification. And make sure you get at least two Yubikeys and keep a backup off-site. Then go into all of your sensitive accounts and remove your other phone numbers. You may get locked out of some banks until you undergo enhanced verification. It can be a hassle, but eventually you will be secure. Also, optionally, you can install a different browser that you only use for verification and then keep it open in the background for security alerts. This browser would have the home page set to Google Voice and would not be used for any other purpose.

  4. The Sunshine State

    I had this problem with a recycled number from a previous person. I was getting credit collection calls because the guy for whatever reasons stopped paying his bills .

    1. Nony Mouse

      During the Snowden era, I was trying to explain why the domestic surveillance eas so bad. She kept saying “if you haven’t done anything wrong…”

      Then I got a new cell phone number. And the solicitations to purchase weed started coming. I HAD done nothing wrong, but lets say the police arrested that dealer and checked his phone. My number would have been targeted and I would havve had to hire a lawyer, just to prove my innocence. That would have been a few thousand down the drain.

      All because I inherited someone else’s phone number.

  5. Dennis

    Using a Yahoo account — here’s your problem right there. No seriously, ditch that account as soon as possible, and switch to Google (or gmail.com.) You can set up auto forwarders at Yahoo to send all your mail to gmail and then switch all your important accounts to a new email address. Then set up your gmail with a time based 2FA token via Google Authenticator app or Authy and it will be way more secure.

    Also for people who live in the US there is a good alternative to SMS (text) based authentication for companies slow-on-security (cough, PayPal and others) that still provide only SMS based forms of 2FA is to get a Google Voice number and use it for SMS number instead. This way it will not be subject to SIM swapping. The only downside is that it is not available outside of US. And also on top of that, some exceptionally dull companies seem to block Google Voice numbers when you try to provide them as your cell number. But that’s just a face palm, so no words there. I’d stay away from such companies.

    In a long run, we will need some form of our own GDPR that will serverly punish telcos for releasing our accounts in such a flippant way as it is done now. When they have to pay a percentage of their income for every illegal SIM swap that their silly customer service in India or Phillipines authorizes on someone’s phone number using just their Zip code, date of birth and the email address, maybe they will stop such practice. As much as I hate to admit it, but we need a better legislature to punish the true offenders — the telcos.

    1. Steve

      You need to read about IMAP-based attacks and how useless 2FA can be in that scenario. IMHO, the issue at hand is that we are moving too fast implementing technology in many areas, and there is not enough effort to keep them secure. Think it like this: if you keep adding devices, operating systems, services, protocols, etc. you reach a point where it is a mess to keep up properly with everything. Meanwhile, the bad guys just need to succeed once, and they have tons of CVEs to pick from.

    2. Allison Nixon

      If you outlaw phone number recycling, you will *literally* break the phone system. There aren’t enough numbers.

      1. Jack Potter

        Allison, true – not enough numbers.

        One comment regarding your response about recycling phone numbers and people that don’t pay their bills: I purchased a new phone 12 years ago (new number after changing providers).

        To this day, I get several phone calls a year from various debt collectors for the previous owner of the number.

        Your comment that the people that don’t pay their bill and get their numbers recycled are not a huge threat due to their income level can in fact be an issue if someone who is not on the lower income scale (or pays all their bills on time) gets that recycled number. It poses a risk for them.

        Good article. Your comments were great. This is a great example of why fraud is so rampant now versus years ago when an actual id was required for any transaction. Thanks to you both for bringing this to light.

  6. Dennis

    Also check this out. An example of how easy it is to take over someone’s cell phone account. This is in Canada, but I can guarantee it works similarly (in your area):

    https://www.youtube.com/watch?v=Ck_r2GYLdCI

    At about 5 minute mark they’ll try to get into that girl’s account via Social Engineering. Watch how easy it is.

  7. NoGoogle

    Larry states – “This has bothered me for a long time. My solution was to get a Google Voice number and use that as my “official” number. Not perfect, but at least it’s a number I can control.”

    The major email sytems – Google, Yahoo, AOL, others, do not accept a Google Voice number as a cell phone number.

    1. acorn

      Also, Google Voice spam call blocking wasn’t good enough in my opinion. I gave up on it.

  8. CB

    Considering the situation of a messy divorce or separation: What about the case where the ex for some reason gets control of the phone number? In fact, you wouldn’t even have to wait for the divorce — it could be a situation with an abusive partner, even before you get physically separated. Seems a likely scenario to me.

    1. Allison Nixon

      Yeah and it’s one of the many situations that aren’t accommodated for in the design of these new ID methods.

      Under the old system, if an abusive partner showed up at a bank and presented the gov issued photo ID of their ex, they would leave the building in handcuffs. Under the new system, ID isn’t presented in a public place, there are no consequences for behavior, and there is no way to verify who is on the other end.

  9. Allan Gregg

    I got a much simpler solution. My credit card provider now also has implemented 2FA, even for checking out the transactions on internet. Some years ago, I have rented a text (SMS) number which is not linked to a cell. I can in fact access it from that company’s website. So, if my credit card provider sends me a text, I fetch it from my account with that company and it’s done. If you get your 2FA text on your $1,000 pocket botnet, your business.

    1. Moike

      That solves the problem of the Telco carelessly reassigning your number to someone else, but the rented SMS number is freed for someone else as soon as you stop paying for it. (Which can easily happen accidentally for a number of reasons)

      1. Allan Gregg

        “Which can easily happen accidentally for a number of reasons.”

        Such as? If my credits reach a specified threshold, I get an e-mail notification. Also, I have rented a fax line with the same company & do use it quite often.

        It’s stuff I rely on so I won’t forget the top-ups. And the company is a few years older than Google…

        Really no need to add unnecessary complexity & hypothetical what ifs.

        1. Anndrew

          Allan, you’re still relying on the fact that someone else controls that number, not you.

          From forgetting to pay your bill to someone successfully convincing that companies service desk that they are “you” and “you” have simply forgotten your password (or lost whatever access token you had) for the service, there is always a variety of ways you could lose access to that number.

  10. JM

    Emerging standards like FIDO/ Web AuthN and supported by Microsoft, Google and others are the way to address phishing, SIM swap and account takeover .
    OTP from a mobile app or push notification are good cost-effective options.

    These methods also meet newer industry guidelines and best practices to stop using SMS-based 2FA

  11. Simon

    I would say, more common is the (regular) termination of a phone contract. While this is a usually planned action, it is easy to forget which accounts are linked to the old number.
    In Germany you have to pay 30€ for keeping the old phone number, if you have to to transfer a phone number across persons additional 30€ have to be paid (e.g. when childs are legally allowed to have their own phone number and want to keep their old one).
    Many persons simply don’t want to pay that.

  12. Lindy

    When I first moved to Berkeley, CA…. MANY years ago I got assigned the former phone number of a hooker. AWK-ward!

    1. Name Required

      That is fantastic! I would have had the time of my life pranking those people. There are so many funny options I can imagine pranking them with to turn off a thirsty dude looking for some tang.

  13. Fritz

    Hey Sam, send Louis some money he has it all figured out.

  14. Jeff Strubberg

    Let’s not throw the baby out with the bathwater here. I didn’t come across a single anecdote in the article that wouldn’t have been prevented by the phone number being used as a second form of identification rather than the only form.

    The problem here isn’t the method being used, it’s that there is only one method. Lazy programming and poor credential hygiene will defeat even biometrics as an authentication method. This is the same issue we’ve faced with passwords. If you give people the opportunity to do security badly, they will. It’s just more convenient to them.

  15. Outside The Marginals

    And to think that some trendy politicians want us to be able to vote by phone!

    Ideas of personification, coercion come to mind.

    Perhaps that is why said politicians are in favour of us trusting our democratic rights to such an insecure process!

  16. Anon404

    “an app that just asks hey was that you just now trying to log in? Yes? Okay. Boom, you’re logged in.”

    DUO already offers this for sites/services that support it.

  17. Catwhisperer

    One possible solution is to implement the fingerprint reader that is already on many phones and laptops as a further method of identification. This would probably require some changes from the phone manufacturers to open that fingerprint reader to 2FA applications such as Authy or Authenticator as an input device. Implementing such a system would eliminate the number change/loss/theft issue. The con to this idea is that not all phones have the fingerprint reader capability, especially in the lower end of the price spectrum.

    1. Jeff Strubberg

      Only if you do your due diligence in protecing that biometric information. In this day of data breaches can you guarantee your fingerprint will never be “stolen”?

      Remember, you can’t change that credential if it becomes unreliable!

    2. Pete 2

      Cell phones with fingerprint readers are becoming common and inexpensive. In China they are available for well under $100 total cost (e.g., on Alibaba). A fingerprint reader can be very secure (and fast) when on its own chip inaccessible to the OS.

    3. Soy Tenley

      Some people have no fingerprints.
      I was astonished, as a Boy Scout, when we ran a fingerprinting booth at the county fair, to find out my grandmother could not be fingerprinted. She was 72 at the time. She had worn her fingerprints off handling papers as a school teacher for over 30 years.

  18. Erasmus B Dragon

    “So, if that Yahoo account is tied to a mobile number that you can receive text messages at, then you can assume control over the account. ”

    But only if one knows of specific yahoo account(s) tied to that mobile number.

    There’s no “Tell me the accounts associated with this phone number” functionality in yahoo

    For numbers released into the pool and picked up by a random phone subscriber, it’s unlikely both parts will be true.

  19. vb

    It’s possible to communicate with a phone without using the phone number, only using MEID/ESN. That’s what a cell tower does. In this manner, the phone is like a Yubikey, a hardware device that responds when pinged.

    What’s needed is a DNS-like system that ties a person’s human readable ID to a phone’s internal number. A phone’s internal number is not a reassignable. That linkage would be permanent and not subject to a SIM swap. I think that only three letter government agencies can spoof an MEID/ESN.

  20. Wintermute

    Great piece. 2FA through via mobile phones pretends to be very secure, but clearly it’s not.

  21. Z

    I was hacked by someone convincing the telco to transfer my number to a cell phone. Even though I requested immediately that the transfer be aborted the telco still allowed the number to be transferred. The hackers then cancelled my credit card using the transferred number and got a new CC sent with a higher credit limit which they proceeded to drain via transfer to JP Morgan. It took two weeks to unravel the mess.

    I supposedly had a block on having my number slammed but somehow that wasn’t honored.

  22. Olaf Jonkers

    Hi Brian, Allison,

    We actually recognised this problem in 2015, and created a solution based on what you refer to. It has quite some adoption already in Belgium as alternative to the official electronic ID card (no reader req.), more detail on http://www.itsme.be.

    Kind Regards, OJ

  23. M.J.

    Sometimes it is impossible not to get access to other people’s accounts. My two primary emails are: a five-letter gmail address, and firstname.lastname type of address on Microsoft’s service.
    I receive other people’s emails several times a year. It can be anything. Paid subscription to an online gaming service, to a news site, or a Netflix family account. Flight tickets. Insurance company responses to accident claim.

    I have come to the conclusion that most people do not care who accesses their email and service accounts. Some don’t even bother to fix their mistake after I tell them. The thought of using 2FA probably has never crossed their mind.

  24. Sam Penrose

    Thanks so much for the thoughtful and generous responses everyone, particularly to Allison for doing double-duty as interviewee and correspondent. Thanks also to Brian for providing such a valuable resource and great community around it.

  25. Yet another Dongle

    Good issue and not really resolved. @Jeff is correct, just using phone number as a single factor is a guarantee of trouble. The issue is bigger though. I went to my local carrier’s store to secure my SIM with some way of notifying me if it was hijacked. The Manager and staff claimed never to have heard of SIM hijacking. I’m not sure if that means they are honest or covering up. Either way not helpful.
    Apps like Google Auth are great. Swapping to a new device is messy but doable if you have the old one next to you. If the old one is stolen, lost or damaged then there’s a real problem.
    Embarrassing: I administer a web site with Google auth implemented. I’ve gone searching for the recovery key so I can store it. I can’t find it … on my own site. I used an open source tool, so tracking down an answer is a problem. If I lose my phone I’ll have to rebuild the site! (pretty easy with modern tools, but still a bit drastic!).
    So Brian, thanks for contributing to this conversation. It really needs a better resolution.

  26. Tim de Vries

    I use a selection of three questions out of about a half dozen, like my bank uses. The user must provide an answer to those questions. That data is one way hashed and only by providing the correct answer to those questions are they then able to reset their password. For increased security it could be required to supply 10 answers and use a road on selection of which questions to respond to. It doesn’t verify id as in govt, however it does verify the correct person is responding with the correct answers. Pretty tough to randomly guess. Implementing an incorrect answer time delay or support lockout shouldn’t be too difficult. It really depends on how secure you need the system to be. A user that has correctly authenticated should be able to download a private key that could be stored encrypted on the server but you are always faced with a weakest link scenario. So it always comes back to how secure does someone require and build to that.

  27. John

    I don’t have a good solution to the cell phone ID, except to avoid it with banks. Mine is a half solution – I removed my cell number from my gmail account, then use that for 2FA. Then I try to deal only with banks that don’t require SMS; in the US that’s difficult.

    It’s really surprising how few US banks even approach useful 2FA. I thought mine did until they continued to authenticate me with mandatory SMS texts after I instituted their TOTP 2FA. Maybe the answer is to have separate companies for banking, insurance, and credit cards; I do want credit card companies to phone me with fraud alerts.

    Also, I’d say that 90% of my phone calls are spam, so I do want to be able to see the (supposed) originating phone number so that I don’t have to answer each call.

    1. Readership1

      Use whatever options you’re provided and stop worrying.

      If it gets broken into, it’s not your problem. It’s the BANK’s problem. They’re on the hook for any loss. They’re responsible for site security.

      If they wanted to issue time-based key fobs (as some banks tried in the late 90s), they’d be doing it. If they wanted to pass along USB tokens, they’d do it. But they don’t.

      It’s not important to them, because they’re not dealing with significant amounts of fraud.

      So why are you worrying?

      1. John Clark

        It takes a lot of effort to prove that the bank is at fault. Effort is time, and that is money that many people don’t have.
        Its far better if the US banks developed a safe reliable system.

        1. Readership1

          As long as the customer uses the security that’s provided, monitors their statements, and informs the bank of any discrepancies, the bank is responsible for any problems over $50.

          If the bank doesn’t offer 2fA or time coded key fobs or Yubi-keys or whatever, that’s not the customer’s problem. That’s the bank’s problem.

          But that’s all technicalities.

          Practically speaking, a bank is just a business, not the enemy. If you tell them something’s wrong, they’ll fix it.

          I don’t know why you’d deal with a bank where the tellers and desk jockeys are too intimidating for you to approach.

          If you’re that worried about time and effort, you’re banking in the wrong place.

  28. Julian Uy

    How complicated would it be to make use of the TOTP algorithm without using phones or anything else, just using your brain?

Comments are closed.