Safe Texts and Secure Checks
On August 1, Reddit.com disclosed a data breach that exposed some user email addresses, internal information, and various data from before 2007. When compared to the content found in the Facebook-Cambridge Analytica breach, the Reddit hack is trivial. What makes the breach unique is that it’s the first real-world example of an SMS-based two-factor authenticator, or 2FA, having its codes hijacked. SMS-based authenticators are everywhere. But, if your system holds sensitive data, then you should be using something stronger like a token or app-based solutions.
The US National Institute for Standards and Technology advises against using an SMS-based 2FA. This stance comes from a successful academic experiment in bypassing SMS-based 2FA just a couple years ago. However, until mid-June 2018, this had never occurred outside of a controlled environment. So, what does this mean for the average Redditor? Not much. Yet, it has plenty of meaning for other organizations using SMS-based 2FA.
If you are using SMS-based 2FA, then it may be time to upgrade. Consider using an app-based Multi-Factor Authenticator (MFA). It’s much safer than SMS, as the messages cannot get intercepted. Encrypt or lock your device with biometrics, and you’ve got a pretty safe solution. However, there is an even more secure solution.
Use a key! USB-based MFA systems are the most secure solutions out there. Many organizations dealing with delicate information, like Google, use them. Security keys are the embodiment of the philosophy behind multi-factor authentication. They are a physical something you have on top of the login info you know. To use one, simply plug the key into a USB slot, press a button, and you’re logged in. That's it. The authentication codes are never shown to the user, so there’s no way for them to leak. With the most popular producer of security keys selling the basic model for just $20, there’s no reason to not be using them.
If you're worried about bad actors getting into your system, look into your authentication solution. For some businesses, SMS-based 2FA is all you need, but most should consider a more secure option. Currently, your best bets are app and key-based solutions.
