SMS OTP Security (SOS)

Christian Peeters, Christopher Patton, Imani N. S. Munyaka, Daniel Olszewski, Thomas Shrimpton, Patrick Traynor
2022 Proceedings of the 2022 ACM on Asia Conference on Computer and Communications Security  
SMS-based two-factor authentication (2FA) is the most widely deployed 2FA mechanism, despite the fact that SMS messages are known to be vulnerable to rerouting attacks, and despite the availability of alternatives that may be more secure. This is for two reasons. First, it is very effective in practice, as evidenced by reports from Google and Microsoft. Second, users prefer SMS over alternatives, because text messaging is already part of their daily communication. Accepting this practical
more » ... y, we developed a new SMS-based protocol that makes rerouting attacks useless to adversaries who aim to take over user accounts. Our protocol delivers one-time passwords (OTP) via text message in a manner that adds minimal overhead (to both the user and the server) over existing SMS-based methods, and is implemented with only small changes to the stock text-message applications that already ship on mobile phones. The security of our protocol rests upon a provably secure authenticated key exchange protocol that, crucially, does not place significant new burdens upon the user. Indeed, we carry out a user study that demonstrates no statistically significant difference between traditional SMS and our protocol, in terms of usability. CCS CONCEPTS • Security and privacy → Formal security models; Usability in security and privacy; Mobile and wireless security; Multifactor authentication.
doi:10.1145/3488932.3497756 fatcat:vzky4kp2s5fhjetgybrf2eevzm