Page MenuHomePhabricator

Guide: SMS is Insecure
Open, WishlistPublic

Description

(This is the current target of SMS is Insecure, and linked to in the MFA documentation.)

SMS is a very weak MFA provider and can be compromised or intercepted by an attacker.

SMS is relatively easy to use as an authentication factor, but is significantly less secure than other types of factors. Although it's probably a little better than nothing, the upstream strongly discourages its use. You should use it only if you have a very compelling reason not to use other factor types. In most cases, TOTP is a far superior factor to SMS.

It is empirically practical to compromise or intercept SMS. Here are some resources on SMS compromises and other types of carrier compromises (voice, voicemail):

  • In 2012, Cloudflare suffered a compromise related to carrier social engineering of Google MFA. Read More
  • In 2015, The Verge published an account of a carrier social engineering compromise. Read More
  • Since 2016, NIST has adopted language discouraging the use of SMS for MFA. Read More
  • In 2016, Wired published an article with a good overview of weaknesses in SMS MFA. Read More
  • In 2017, The Verge published another copy of "stop using SMS for MFA". Read More
  • In 2018, Reddit suffered a compromise related to SMS interception. Read More

Broadly, SMS is highly vulnerable to social engineering (where the attacker calls the victim's carrier and convinces them to give the attacker control of the number). It is also highly vulnerable to physical interception.