Getting the best protection from Two-Step Verification
Post categories
This article was originally published as part of the Pobox blog. Pobox was acquired by Fastmail in 2015.
With a new hack in the news every day and so many online accounts to manage, have you ever wondered just how safe you are when using Two-Step Verification? At Pobox, the security of your email is a top concern to us because your email account is the key that unlocks nearly all of your online accounts. Security recommendations change all the time, but we can help you stay up-to-date and make sure your email account is as secure as possible.
The National Institute of Standards and Technology (NIST) recently released a new draft of the Digital Authentication Guidelines to change their two-step verification recommendations. SMS-based two-step verification is no longer recommended. What is SMS? You may better know SMS as text messaging. NIST does not consider SMS-based Two-Step Verification a secure method for Two-Step Verification anymore. SMS-based Two-Step Verification is a popular choice for many online services because a large majority of online users have readily accessible smartphones or devices with SMS capabilities. Unfortunately, its widespread adoption, attackers have been adapting their methods to steal users’ information.
Determined attackers have used social engineering (i.e. lying) to get mobile phone providers to transfer their target’s telephone number to a new device. If this happens, the attacker can then access your messages to receive the one-time password and login to your account. By the time you realize what was going on, the attacker will have already received the password needed to access your online account.
There are also other insecurities with Signaling System Seven (SS7), the protocol used to route your calls and messages, can also be used. Hackers can exploit these insecurities to hijack incoming phone calls and intercept your text messages. This is another way that an attacker can gain access to your online accounts that utilize SMS-based Two-Step Verification.
Pobox does offer SMS-based Two-Step Verification for lockout codes. Why? In the event an SMS lockout codes is used, Pobox will send you a message informing you that one of these codes have been used to access your account. An attacker cannot silently use SMS to bypass your security — you will always be informed. We also provide and recommend printable lockout codes, but based on the number of users who were locked out when that was our only option, we added SMS in this one limited case. Users can choose to delete their SMS lockout device, but make sure your printable codes are someplace secure!
So, what is the alternative? Pobox supports two primary methods — TOTP and hardware Yubikey tokens. The authenticator app produces time-based, one-time passwords (TOTP) that are only available for 30 seconds, which you can use to login to your Pobox account. You use an authentication app like Google Authenticator or other authentication apps to show the code on your phone, but it can’t be transferred to another device. Yubikeys are little USB gadgets that produce codes. When you register your Yubikey with us, we know to accept future codes from that device.
Your online security should be a top concern, and this information can help you take the right steps in making sure your online information is safe and secure. If you’re reading this and are considering enabling Two-Step Verification on your Pobox account, please visit these setup instructions.
If you would like more information about why SMS-based Two-Step Verification is no longer recommend, feel free to view these great articles from Fortune, Techcrunch.com and Theregister.co.uk or send us a message at pobox@pobox.com.