Reprinted from TidBITS by permission; reuse governed by Creative Commons
license BY-NC-ND 3.0. TidBITS has offered years of thoughtful commentary
on Apple and Internet topics. For free email subscriptions and access to the
entire TidBITS archive, visit http://www.tidbits.com/


   Facebook Shows Why SMS Isn't Ideal for Two-Factor Authentication

   Josh Centers

   If you follow recommended security practices, you use two-factor
   authentication on every online service that allows it. For those who
   aren't familiar with two-factor authentication, it makes it so a
   username and password is no longer sufficient to log into your account
   ' you must also provide a six-digit time-based one-time password that
   is either sent to your phone via SMS text message or generated by an
   app.

   (Then there's Apple's two-factor authentication for Apple ID-protected
   logins, which relies on Apple-proprietary communication channels and
   devices and thus breaks the usual conventions, see '[1]Apple Implements
   Two-Factor Authentication for Apple IDs,' 21 March 2013.)

   SMS is the most popular method of receiving two-factor authentication
   codes, because it's nearly universal and easy to understand. You give
   your phone number to an online service, and it sends you a code to
   enter when you try to login. Easy. But SMS is less than ideal, as a
   recent Facebook issue has (once again) demonstrated.

   In theory, the phone number you provide to Facebook for two-factor
   authentication should be used only for that. However, many Facebook
   users are receiving unwanted text-message notifications from Facebook '
   [2]9to5Mac gathered a number of those stories together. Even worse, if
   the user replies, that text get posted on their walls in Facebook! So
   if you were to text STOP ' an entirely reasonable thing to try ' it
   would be posted on your wall for the world to see.

   It's uncertain whether this behavior is a bug or was deliberate on
   Facebook's part. The company's mealy-mouthed response to press
   inquiries does nothing to clear things up:

     We give people control over their notifications, including those
     that relate to security features like two-factor authentication.
     We're looking into this situation to see if there's more we can do
     to help people manage their communications. Also, people who sign up
     for two-factor authentication using a U2F security key and code
     generator do not need to register a phone number with Facebook.

   This is the first time we've heard of this sort of problem, but SMS is
   notoriously awful for two-factor authentication. Here's a list of
   headlines demonstrating that:
     * [3]CNET: 'Why you are at risk if you use SMS for two-step
       verification'
     * [4]Forbes: 'All That's Needed To Hack Gmail And Rob Bitcoin: A Name
       And A Phone Number'
     * [5]Macworld: 'Your cell phone number could be hijacked unless you
       add a PIN to your carrier account' (Hi, Glenn!)
     * [6]TechCrunch: 'Coinbase vulnerability is a good reminder that
       SMS-based 2FA can wreak havoc'
     * [7]The Hacker News: 'End of SMS-based 2-Factor Authentication; Yes,
       It's Insecure!'
     * [8]The Register: 'Standards body warned SMS 2FA is insecure and
       nobody listened'
     * [9]The Verge: 'This is why you shouldn't use texts for two-factor
       authentication'
     * [10]Wired: 'So Hey You Should Stop Using Texts for Two-Factor
       Authentication'

   In short, using SMS for your two-factor authentication codes is a bad
   idea! Unfortunately, some Web sites force you to do just that ' PayPal
   comes to mind. Thankfully, most online services that support two-factor
   authentication let you use an authentication app that can generate
   those time-based one-time passwords for you automatically, starting
   from a seed provided by the company.

   In fact, Facebook supports both independent authentication apps like
   [11]1Password, [12]Authy, [13]Google Authenticator, and [14]LastPass
   Authenticator, and provides its own code-generation capability within
   the Facebook app for iOS.

   To set this up, start on the Facebook desktop Web site. Click the
   down-pointing arrow in the upper-right corner and choose Settings.
   Click Security and Login. Under Setting Up Extra Security, look for Use
   Two-Factor Authentication. Click the adjacent Edit button.

   [15][tn_Facebook-settings.jpg]

   Look for Code Generator and click Enable. Then you can click the 'third
   party app' link to reveal a QR code and secret key you can use to set
   up your preferred authentication app.

   [16][tn_Facebook-extra-security-settings.jpg]

   Unfortunately, you cannot disable the text message option entirely
   unless you also set up a USB or NFC security key for authentication,
   like this [17]FIDO U2F security key. Keep that in mind if you're
   worried about SMS two-factor authentication or if Facebook starts
   sending unwanted text messages.

   While you're in Facebook's settings, you can also make sure you're not
   set to receive text messages. Click Mobile in the sidebar. When I
   checked, text messaging was not activated, as in the screenshot below.

   [18][tn_Facebook-SMS-notification-setting.jpg]

   So which app should you use for two-factor authentication? I was a big
   fan of [19]Authy (see '[20]Authy Protects Your Two-Factor
   Authentication Tokens,' 6 November 2014) until [21]1Password rolled out
   support for two-factor authentication. I prefer 1Password's
   implementation because on the Mac it copies the code to my clipboard
   after auto-filling my username and password. Regardless, we strongly
   advise choosing a solution that offers backups or cloud sync, lest you
   get locked out of your accounts when you upgrade phones, as once
   happened to Glenn Fleishman (see '[22]Dancing the Two-Step: Coping with
   the Loss of a Second Factor,' 28 August 2013).

References

   1. http://tidbits.com/article/13654
   2. https://9to5mac.com/2018/02/15/facebook-spam-2fa/
   3. https://www.cnet.com/how-to/why-you-are-at-risk-if-you-use-sms-for-two-step-verification/
   4. https://www.forbes.com/sites/thomasbrewster/2017/09/18/ss7-google-coinbase-bitcoin-hack/#2f22cdd941a4
   5. https://www.macworld.com/article/3082626/security/your-cell-phone-number-could-be-hijacked-unless-you-add-a-pin-to-your-carrier-account.html
   6. https://techcrunch.com/2017/09/18/ss7-coinbase-bitcoin-hack-2fa-vulnerable/
   7. https://thehackernews.com/2016/07/two-factor-authentication.html
   8. https://www.theregister.co.uk/2016/12/06/2fa_missed_warning/
   9. https://www.theverge.com/2017/9/18/16328172/sms-two-factor-authentication-hack-password-bitcoin
  10. https://www.wired.com/2016/06/hey-stop-using-texts-two-factor-authentication/
  11. https://1password.com/
  12. https://authy.com/
  13. https://itunes.apple.com/us/app/google-authenticator/id388497605?mt=8&at=10l5PW
  14. https://lastpass.com/auth/
  15. http://tidbits.com/resources/2018-02/Facebook-settings.png
  16. http://tidbits.com/resources/2018-02/Facebook-extra-security-settings.png
  17. http://www.amazon.com/dp/B00NLKA0D8/?tag=tidbitselectro00
  18. http://tidbits.com/resources/2018-02/Facebook-SMS-notification-setting.png
  19. https://authy.com/
  20. http://tidbits.com/article/15214
  21. https://1password.com/
  22. http://tidbits.com/article/14036

.