A major security breach, reported by TechCrunch, has underlined the sense of Apple’s approach to two-factor authentication (2FA).
A security lapse has exposed a massive database containing tens of millions of text messages, including password reset links, two-factor codes, shipping notifications and more.
The exposed server belongs to Voxox (formerly Telcentris), a San Diego-based communications company. The server wasn’t protected with a password, allowing anyone who knew where to look to peek in and snoop on a near-real-time stream of text messages …
TechCrunch said that the true scale of the breach isn’t yet known.
After an inquiry by TechCrunch, Voxox pulled the database offline. At the time of its closure, the database appeared to have a little over 26 million text messages year-to-date. But the sheer volume of messages processed through the platform per minute — as seen through the database’s visual front-end — suggests that this figure may be higher.
A ‘cursory review’ of the exposed data found 2FA codes from booking.com, Google and at least two financial services companies.
The problem with texted 2FA codes
For anyone unfamiliar with the concept, two-factor authentication is intended to improve security of online services by requiring two pieces of secure information, rather than just one – a password.
In many implementations, you register your mobile number with the service, and they text you a one-time code that needs to be entered along with your password.
The problem with this is that SMS isn’t a particularly secure protocol. There are a number of known vulnerabilities in the SS7 network on which text message transmission is based. Text messages are frequently sent as plain text (there are options for carriers to use encryption, but they often don’t). SMS is a store-and-forward system, meaning that the message is stored on systems at several points in its journey. And, as we’ve seen in this case, it’s common to use third-party companies to handle the transmission of 2FA codes, so you’re at the mercy of the security standards of those firms.
These weaknesses are why the US National Institute for Standards and Technology – which sets the standards for authentication software – wants to ban the use of SMS-based 2FA.
Apple does offer the option of texted codes – because some people may have only one Apple device. Texted 2FA codes are better than nothing.
But Apple’s primary approach is to use the concept of trusted devices. When you associate your Apple ID with a device and – importantly – used 2FA to sign in to that device, Apple views it as a ‘trusted’ device. This means that six-digit 2FA codes are displayed on it whenever another device requests one.
Apple’s approach is superior for a number of reasons. Because the system used is specific to Apple, the company has complete control over the security protocols. Codes are pushed to devices in encrypted form, and Apple uses a unique seed for each trusted device.
This unique seed also means that users can remove a device from their list of trusted devices at any time. Once it is removed, it will no longer be authorized to receive 2FA codes. For this reason, Apple’s approach is also better than authenticator apps, which use a shared seed.
Apple’s device-based 2FA system is also friendlier for users. Unlike a text message, it doesn’t require you to have a mobile data signal – Wi-Fi will do. And every time I’ve used it, the push code has arrived instantly, in contrast to text messages which can be delayed by minutes, hours or even fail to arrive at all.