MFA Post 7: Other Contact Mechanisms (Email, Phone,...)

-

 In addition to sending codes via SMS some service providers may send codes via other contact mechanisms, such as email, phone, or various chat applications. These mechanisms are very similar to SMS: they are mechanisms to deliver a code to a user. Usually the code is 6 digits. 

The security of these mechanisms varies and depends on a large variety of factors that are largely outside the scope of the mechanism itself. Email, and some of these other ones, are very often used as a possession proof for password reset as well. The assumption is that if you have access to the email account you must be the customer who registered an account with that email address. However, this creates a security dependency. The security of the account you are resetting the password for depends completely on the security of the email account. Sadly, most people do not protect their email account to the extent that would be prudent if you are going to make the security of your retirement account dependent on it. In most cases where email accounts are used in a password reset workflow the customer does not even get a chance to opt into this feature. They may not know this is how the flow works until after their account has been compromised. For this reason, you should always consider your personal email account to be as sensitive as all your most sensitive accounts and require the highest assurance level protection. Unfortunately, this is somewhat at odds with how the email protocols work and the protection offered by many email providers. 

Advantages

In terms of advantages, these mechanisms have the same advantages as SMS, with one additional one: people who cannot use SMS can sometimes use one of these mechanisms. For instance, call center employees may be barred from bringing mobile phones onto the floor. However, they may be able to get a code via email. Similarly, voice calls work over landline phones as well as cellular phones, although fewer and fewer people have those these days. 

Disadvantages

The disadvantages depend on the exact delivery mechanism. For example, voice calls over mobile phones are subject to the same interception risks as SMS. Email is sometimes transmitted in clear-text across the Internet. Although successfully intercepting Internet traffic is harder than we often seem to think, it is possible and the end user very likely will never know that this happened. If a user uses one of the many smartphone email apps that store data in their own clouds (such as the Outlook app and Edison Mail) the authentication codes and reset messages are stored on a third-party cloud service as well. They may even have been available to developers of those tools.


Email is not a real-time delivery mechanism. While we are used to it being very fast, it is not unheard of for codes to expire before they get delivered. Many people also have their email accounts set up on multiple computers, which means the codes get delivered to more than one computer. That increases its exposure to malware or monitoring tools if any one of those devices is compromised.


While most relying parties these days verify that you actually have access to the email account before they rely on using it for things like password reset, email verification is by no means universal. Many service providers still do not verify that you actually own the email address you gave them. Some customers actually use this in a misguided attempt to preserve privacy. In reality, it means the provider may send reset codes to addresses that the customer doesn’t actually own, allowing someone else to take over the account. Even if they verified it originally it does not mean the customer still owns it. Contact information used for sensitive purposes must be periodically revalidated.


Other delivery mechanisms, such as various chat applications, come with their own sets of advantages and disadvantages. It’s very difficult to enumerate them all, but as a general rule, these mechanisms probably should all be considered equivalent to SMS in terms of the level of assurance they provide. There may be differences but overall it’s a reasonable comparison. 


None of these mechanisms are more phishing resistant than SMS, and possibly less so depending on the circumstances. 


In conclusion, my advice to implementers would be to consider these mechanisms very carefully, especially when using them for password reset. The reality is that the vast majority of your customers do not protect their email accounts as well as they should considering that they are the vital piece that ties together their entire digital lives. I would encourage you to be extremely clear and transparent on this point and not just include it in the 16-page terms and conditions that nobody reads and that most service providers can’t act on even if the user tried. 

Comments

Post a Comment

Popular posts from this blog

U2F, FIDO2, and Hardware Security Keys

-
  In our journey through possession proofs we have encountered hardware factors of various kinds. HOTP and TOTP is often implemented as hardware devices, and of course, so are Smart Cards. In this post we will look at authenticators that implement the FIDO standards -  U2F, WebAuthn, and CTAP2. WebAuthn and CTAP2 are collectively part of the FIDO Alliance ’s FIDO2 protocol suite. U2F and UAF are older FIDO protocols that are supported under FIDO2. They can all be thought of as being part of the FIDO2 suite of protocols.  To understand these protocols, and their advantages and disadvantages, we need to be familiar with the three fundamental actors: Relying party (RP) - Also known as the server. This is the service that a user wishes to log into. Client - This is the application that brokers the authentication from the relying party to the authenticator and eventually the user. Much of the time, this is a web browser, but it could be any application. Authenticator - This is a thing tha
Read more

The Busy Executive’s Guide to Personal Information Security

-
Congratulations. As an executive you are the favorite target of ne’er-do-wells across the world. They will spoof email messages to staff and business partners in your name. They will try to hack your corporate account, your bank account, your email account, and your phone. In addition to hundreds of messages per week from semi-legitimate vendors who want to sell you their most recent search engine optimization snake-oil you will also get a variety of Word documents, PDF files, and PowerPoint presentations, most of which are laden with malware. If this sounds depressing, it is. It is the world of Information Security. There are ways to protect yourself, however. This document will tell you the most important things you can do. 1. Patch Your Stuff! The first thing you need to do is to patch. Software and hardware vendors provide regular security updates to fix security bugs. Or, rather, the reputable ones do. The first step is to use devices and software that provide timely and reliable
Read more

Single Sign-On

-
There are two kinds of organizations. Those that manage their single sign-on (SSO) system, and those that let their users manage their SSO. The other day I was in a discussion with a number of security leaders about how important identity management is to your security strategy. Obviously, everyone agreed that identity is very important. After all, if you don’t have a strong identity strategy pretty much no other component of your strategy will be strong. There is a reason that the first function of the NIST CSF is Identity.  However, the discussion then turned to SSO and whether it didn’t constitute putting all your eggs in one basket, and whether doing so is a good idea. Yes. SSO does constitute putting all your eggs in one basket. But, that is a good  thing. Why? Because you, as a security leader control  that basket. You know where it is. You know how it is configured. You have already required strong multi-factor authentication (MFA) on it. (You have right? If not, stop reading th
Read more