Speaking at BSidesDFW 2016


It's no secret that that sending one-time-pad codes via SMS are not a secure mean two-factor authentication. But they're oh-so-easy to implement. What's the blue team to do?


In May of this year (2016) NIST published the document “Draft Special Publication 800-63-3: Digital Authentication Guideline”. Among the many changes to the digital-authentication guidelines was the long-overdue decision to deprecate short-message service, one-time pads (SMS OTP).

Rather than running with the provisional NIST guidance and pushing for reform, many security practitioners responded than embracing the guidelines continued supporting SMS OTP, even if half-heartedly, by noting “it’s better than nothing.”

When pushed on the question of SMS security, some suggested “use a burner phone number”. Others downplayed the risk by arguing SMS-interception attacks are rare and difficult to execute.

The chief reason for this support are the competing needs of improved security and end-user convenience. Mobile devices are ubiquitous and SMS available on most. It seems like an easy win.

In this talk we'll look at the attack scenarios against SMS OTP and consider credible, easy-to-implement mobile alternatives.