Essays mature
This idea is complete, spare the occasional tending.

series: Login Bingo

by Matthew Lyon  • 

It’s time to go log in to the system to do the thing. After filling out your regular login credentials, you’re asked to enter a one-time verification code, which will be provided over a message channel which you’ve previously established with this system. Maybe it’s a phone number they’ll send a text message to, maybe it’s an email address. To retrieve this code, you need to set aside the context for what you’re doing and visit another context: checking your messages.

While there, you notice a new thread that piques your interest, and you’re drawn in. By the time you wrap up that side quest and remember what you’re supposed to be doing, the time limit for the code they sent has expired; apparently it was only good for five minutes.

Unbeknownst to you, your communication channel has also been compromised. Perhaps you were subject to a SIM swap, perhaps the email was intercepted by a BOFH who planted at your email host who has been patiently targeting you. Along with a previous compromise of your password, using the time you were distracted, they manage to take over your account.

Whatever the excuse, sending two-factor authentication codes is not only insecure and disruptive for people who attempt to quarantine their messages for whatever reason, but also fails the idea of multifactor authentication requiring “something you know, something you have”:

  • SMS requires a phone number, which you rent/lease from the phone company, and via can be scammed away from you without your knowledge. I know multiple people who’ve been subject to these attacks.

  • Email is an inherently insecure medium which relies on DNS which can be hijacked. If you have your own domain, you are renting/leasing it from your registrar. If you use an email provider’s domain, you are relying on them to manage this for you.

With these possible vectors for losing access to your messaging channel, you cannot rightly say that channel is something you have — it is something you have access to, which looks very similar if you’re not paying attention but it is not the same.

Sending multifactor codes via messages is also an easy way out for systems who do not want to invest in better alternatives, especially since those alternatives are less approachable for your average person. I’ve joked before that the reason many systems have been slow or reluctant to adopt good multifactor authentication is because their CEO can’t understand why messages aren’t good enough for everyone if they’re good enough for them.

I’ve heard the argument that it doesn’t matter, because “password resets happen over email anyway, so it doesn’t matter that these codes aren’t really secure”. Congratulations, now you’ve exposed both something you know and something you have to insecure, hijackable channels.

Furthermore, email in particular is unsuited to this task – it is not a real time medium, nor was it designed to be – per specification, delivery attempt problems may take days to resolve:

Retries continue until the message is transmitted or the sender gives up; the give-up time generally needs to be at least 4-5 days

With regard to attention contexts, as a person with ADHD this is something I pay keen interest to when thinking about interaction design. Email management is generally considered a hard problem, text messages are often overwhelming, and as with Open a Window, you are contributing to the problem by using these methods. Especially for people with ADHD.

It gets worse, though: SMS MFA fatigue contributes to bypass attacks; attention context is about more than just managing the quantity of messages, but also the threats that the widespread misuse of these communication channels expose one to. By sending multifactor codes through an insecure message channel, you are contributing to the problem of those channel’s roles in security failures.