Twilio’s B. Byrne On Why Eliminating SMS for 2FA Is A Bad Idea

After SS7 vulnerabilities allowed attackers to intercept authentication codes and rob a bank, is there still a need for SMS-based 2FA?

Learn More about 2FA

Twilio’s B. Byrne On Why Eliminating SMS for 2FA Is A Bad Idea

In the Spring of 2017, hackers succeeded in draining several bank accounts across Germany despite the fact that they were protected by two-factor authentication. The finger pointed to a vulnerability of a global telephony protocol known as Signaling System 7 (SS7), the system that carries SMS text messages. Analysts have warned that breaches were possible, and are now claiming that this incident marks the final nail in the coffin for SMS-based account security. But much like the death of passwords, perhaps the death of SMS-based 2FA is premature.

SMS can still play an important role in account security. Watch this video to hear B. Byrne, Head of Authentication Product at Twilio, discuss what happened, why it matters, and what you should be doing if you're using SMS for Authentication.

Key Takeaways

This advanced talk about account security digs into how the details of SS7 vulnerability and the important role that SMS can still play in account security. Here are a few highlights:

  • Signaling System 7, first defined as a standard in 1980, hasn’t changed much in two decades.
  • Originally a ‘walled-garden,’ SS7 has been the target of multiple attacks since 2014, as more and more parts of the network are connected to the internet. Intercepting SMS messages is a current problem.
  • SS7 and SIM spoofing attacks can be detected...if you know where to look.
  • While not as strong as other authentication methods, SMS reaches many more people across the globe.
  • SMS-based 2FA is still better than no authentication at all. Rather than eliminating it, SMS should be paired with stronger authentication like TOTP and push notification.