Two-factor authentication provider Authy is advising Coinbase users to disable multi-device functionality, following a series of phone “SIM-swapping” attacks. Coinbase itself, however, is advising consumers to use single-device authenticators from Google and Microsoft.
Authy and Two-Factor Authentication (2FA)
Authy provides users with a seven-digit temporary access code that expires every 20 seconds. They may access the code via a mobile app or Chrome browser extension. Anyone attempting to access an online account must have this access code as well as the original password. The principle is “something you know plus something you have”, which prevents a large majority of hacks.
For convenience, Authy also allows users to link approved devices so if one is lost or unavailable, another will suffice. For those who’ve experienced being locked out of online accounts after losing or breaking a mobile device, this feature is a godsend.
The problem is that to provide this convenience, Authy sends codes to users via an API rather than storing secret keys on the device itself. And to approve a new device, Authy sends an SMS or voice message.
Poor security at mobile network providers has led to hackers hijacking others’ phone numbers, and gaining access to their SMS and voicemail messages. The practice is known as number “porting” or “SIM swapping”. In recent months, both prominent bitcoiners and high-stakes poker players have been targeted.
Disabling multi-device therefore kills Authy’s biggest advantage. Authy itself acknowledges SMS security is a problem, and has provided a series of advisories for users. However if you still want to use multiple devices, you’ll have to install each one separately and disable multi-device after authorizing each one. This still leaves the possibility that an attacker could gain access, though it’s narrower.
Coinbase: Use Google or Microsoft Instead
To avoid any chance of a SIM-swapping attack, Coinbase is advising users to use an alternate system, like Google and Microsoft Authenticator. These apps both use a QR code (with backup secret text key) to store keys locally on a device.
With Google and Microsoft there’s no need for any devices to communicate, and nothing to hijack. However, if you lose your device and don’t have the backup key recorded (as this writer has done) you’re in for a painful time trying to disable 2FA on various services. If an attacker somehow gains physical access to your mobile device and your password, you’re also out of luck.
No system is 100 percent foolproof, but there are many ways to mitigate risk. In the end, it’s a simple choice between greater security or convenience. Personal experience with either could be key.
What 2FA systems do you use, if any? Please share your opinions below.
Images via Authy, Pixabay