OTPs delivered via text messages delivered by phone carriers are not end to end encrypted, nor is using them a form of MFA.
OTPs, like all passwords, are "something you know" - using them is "two step authentication with a single type of factor", unlike OTPs derived via a time based cryptographic process, where you must have the device in hand.
Additionally, text messages are no longer just sent by the carrier to a single device. Things like "Your Phone" in Windows 10, IOS continuity features and carrier web-based portals all allow legitimate mechanisms for reading texts on devices other than the phone they were intended for.
And then there are a wide variety of Attack trees against each of these methods.
------------------------------
Jim Scardelis
Senior Security Consultant
PSC
------------------------------
Original Message:
Sent: Nov 04, 2021 07:09:02 AM
From: Adnan Rafique
Subject: Cellular networks for MFA? Benefits & risks?
These tokens are encrypted in transit and shouldn't matter
------------------------------
Adnan Rafique Cloud Security Leader
Original Message:
Sent: Nov 03, 2021 10:45:00 AM
From: Jenna Morrison
Subject: Cellular networks for MFA? Benefits & risks?
Hello!
In module 5 of the CCSK training, they mention that cellular networks are weak and not very secure when it comes to MFA. So much of MFA nowadays rely on cellular networks however. How common of an occurrence is it for a hacker to get an OTP from someone's text messages? Does the benefit of MFA outweigh the potential risk of using cellular networks?
Thanks in advance :)
------------------------------
Jenna Morrison
Training Department Intern
Cloud Security Alliance
------------------------------