Multi-factor authentication is the new reality. A password alone is no longer considered sufficient. Phishing attacks, frequent leaks of password databases and the ubiquitous issue of reusing passwords make password protection unsafe. Adding “something that you have” to “something that you know” improves the security considerably, having the potential of cutting a chain attack early even in worst case scenarios. However, not all types of two-factor authentication are equally secure. Let’s talk about the most commonly used type of two-factor authentication: the one based on text messages (SMS) delivered to a trusted phone number.

SMS-based two-factor authentication

Two-factor authentication (2FA) adds an extra layer of security to your online accounts by requiring an additional factor such as a one-time password, time-limited code, an action performed on a trusted device, or a physical token. After signing in with your login and password, you’ll need to provide the additional – second – authentication factor. The most commonly second authentication factors used by Apple, Google and Microsoft are codes sent via SMS and prompt through an authentication app, while many major services such as Amazon, Facebook, Dropbox and PayPal rely on time-limited codes generated offline in standard “authenticator” apps using the TOTP protocol.

The use of the second authentication factor means that a hacker would need have both the user’s password and their second authentication factor. While different companies employ a diverse range of various authentication factors, SMS-based two-factor authentication still remains among the most commonly used – and the least secure types.

There are many things wrong with SMS-based two-factor authentication. For one, receiving a text message while traveling may be a very expensive option, or not an option at all depending on the roaming agreements between your mobile provider and the providers of your destination country. Text messages, especially when roaming, may arrive with a significant delay, with the code already expired by the time it arrives.

SMS-based two-factor authentication is also less secure than using alternative methods. While approving a push message (trusted device authentication) would generally require unlocking the phone by entering a PIN code or using biometrics, which more or less guarantees that the authentication prompt is confirmed by an authorized user, an SMS can be received by anyone who can pull a SIM card. Granted, SIM cards can be protected with a PIN, but how many users still have that?

Text messages can be intercepted even without the original physical SIM card. Hackers use social engineering to trick carriers into swapping a ‘lost or stolen’ SIM card. There have been reports of them using fake ID’s, fake power of attorney and plain old bribery to convince employees. Sometimes hackers port the number away to an online service using nothing more than a prepaid credit card as their proof of identity. In other words, there are simply way too many things wrong with security based on SIM cards.

There are also vulnerabilities in the mobile telecom system such as the renowned vulnerability in the SS7protocol. The SS7 attack enables a hacker intercept voice and SMS communications on a cellular network. According to telecommunications experts, all a cyber criminal would need to successfully launch an SS7 attack are a computer running Linux and the SS7 SDK – both free to download from the Internet.

Once the hacker has access to a trusted phone number, they can gain full control over the victim’s Apple Account, including but not limited to the following:

1. Resetting Apple ID password
2. Setting up a new device and restoring iCloud backups
3. Downloading iCloud backups and many types of synchronized data (excluding end-to-end encrypted categories)
4. Lock or erase the user’s other devices (possibly demanding ransom for unlocking)

All of this makes two-factor authentication based on text messages a very bad idea, so Apple implemented a different, significantly more secure approach.

Two-factor authentication based on trusted devices

Apple ecosystem employs two-factor authentication based on trusted devices. If you enroll an Apple iOS or macOS device such as an iPhone or a MacBook to your 2FA-enabled Apple Account, that device automatically becomes a trusted second authentication factor. Since Apple does not allow any device from outside of the company’s walled garden, users can only designate their iPhone, iPad or Mac as a trusted device.

There are several methods of using a trusted device as the second authentication factor. The push prompts:

A trusted device is an iPhone, iPad, or iPod touch with iOS 9 and later, or Mac with OS X El Capitan and later that you’ve already signed in to using two-factor authentication. It’s a device we know is yours and that can be used to verify your identity by displaying a verification code from Apple when you sign in on a different device or browser. An Apple Watch with watchOS 6 or later can receive verification codes when you sign in with your Apple ID, but cannot act as a trusted device for password resets. Two-factor authentication for Apple ID

And the verification codes:

A verification code is a temporary code sent to your trusted device or phone number when you sign in to a new device or browser with your Apple ID. You can also get a verification code from Settings on your trusted device.

Both methods require the user to first unlock their device by using biometrics or typing their screen lock password. A hacker cannot use a stolen device for the purpose of receiving two-factor authentication codes without first unlocking the device, which, after a short while, will require entering the screen lock password. The screen lock password is a hallmark of Apple’s security model; there is hardly anything so vigorously protected in the entire ecosystem. In other words, device-based two-factor authentication is a modern, highly secure authentication system.

The problem of closed-ecosystem two-factor authentication

It may appear that two-factor authentication based on trusted devices, as implemented by Apple, is a secure and reliable system. In fact, it is. The problem lies slightly outside the scope of “trusted device 2FA”.

Imagine that the user lost access to their last owned Apple device, or only owned one device in the first place. Even if they can provide their password, there would be no easy way to regain access over an Apple Account once all possible methods of obtaining a second authentication factor are exhausted. (Quite the opposite is true if the user forgets their password but still has access to their second authentication factor: resetting the Apple ID password will be instant after only a few taps on the trusted device. This makes me wonder whether the password or the trusted device is actually the second authentication factor).

In The Ugly Side of Two-Factor Authentication, I have already described what happens if the user has no access to the second authentication factor. The user would have to follow the instructions outlined in Recover your Apple ID when you can’t reset your password. This is a step-by-step process, during which the user is asked to provide as much details about their account as possible. This may include trusted phone numbers, any credit cards on file, and possibly other information.

Depending on how much information the user has on file with Apple, and how much of that information they can remember during the recovery process, Apple may or may not grant access to the user’s account. Even if the decision is made in the user’s favor, Apple imposes a lengthy waiting period of multiple days. In any case, this is a lengthy process with no guaranteed outcome.

Obviously, all this would be a great hassle if users would have to pass through the recovery process every time they upgrade their (only) iPhone. For this reason, Apple made a firm requirement: two-factor authentication requires at least one trusted phone number on file.

A trusted phone number is a number that can be used to receive verification codes by text message or automated phone call. You must verify at least one trusted phone number to enroll in two-factor authentication. Two-factor authentication for Apple ID

If the user cannot access (or does not have) any trusted devices, Apple will send a text message (SMS) to the trusted phone number on file. Which brings us back to the weaknesses and vulnerabilities of SMS-based two-factor authentication.

Conclusion

The system is only as secure as its weakest link. In the case of Apple’s implementation of two-factor authentication, the weakest link is SMS-based authentication. Apple is the only major cloud provider that still insists on users having at least one trusted phone number on file, making the whole two-factor authentication scheme as flawed as SMS-based authentication in whole.