{"id":1461,"date":"2016-11-29T14:46:21","date_gmt":"2016-11-29T18:46:21","guid":{"rendered":"https:\/\/solutionsreview.com\/identity-management\/?p=1461"},"modified":"2016-11-29T14:46:21","modified_gmt":"2016-11-29T18:46:21","slug":"why-using-sms-in-your-authentication-chain-is-risky-appsec-2016","status":"publish","type":"post","link":"https:\/\/solutionsreview.com\/identity-management\/why-using-sms-in-your-authentication-chain-is-risky-appsec-2016\/","title":{"rendered":"Why Using SMS in Your Authentication Chain is Risky, AppSec 2016"},"content":{"rendered":"

Passwords are horrible for security. Over the past 20 <\/em>years we\u2019ve bolstered the password with other factors, the most common being a <\/em>one time password (OTP, TOTP, HOTP) that is either generated on a physical device the user holds, in a smartphone app or most commonly sent via SMS. Using SMS for authentication is not secure. We\u2019ve known this for years, but recently we\u2019ve been reminded of this with problems with Google and Apple SMS security. <\/em><\/p>\n

SMS is important to ensure we have a backup way of allowing people to <\/em>login to systems, but it should always be a last resort. So what\u2019s the first resort? Second factors to the password need a different communications channel to the one a user is authenticating to. SMS is not secure, but push notification methods are. It is possible to initiate a communication channel via Apple, Google and Microsoft mobile notification networks. At the end of these push notifications is a secured app that in turn securely communicates with the 2FA back end. Not only is this method more secure, it\u2019s actually a far improved user experience that can be extended beyond the login to secure in application transactions.<\/em><\/p>\n

This presentation will go over the limitations of traditional two-factor methods and introduce the improved approach using a push notification channel to achieve the same goal, i.e. authenticate a user identity by validating the initiating request comes from a person who has something in their possession which is trusted.<\/em><\/p>\n