Two years ago, NIST warned that SMS-based two-factor authentication was not as secure as other schemes, and that companies should adopt alternative methods using tokens or software cryptographic authenticators instead. Reddit’s breach illustrates the dangers of relying on SMS messages or phone calls to secure accounts.

An attacker breached several employee accounts in mid-June and accessed a complete copy of backup data spanning from 2005 (Reddit’s launch) to May 2007, wrote Reddit’s founding engineer writing under the name KeyserSosa. The data included cryptographically salted and hashed password data from that period, corresponding usernames, email addresses, and all user content. The attacker also obtained email digests sent between June 3 and June 17, which include usernames and their associated email addresses.

Reddit’s KeyserSosa said two-factor authentication was enabled for those employee accounts. While Reddit policy was to use time-based one-time passwords (TOTP), which are passcodes that are generated and active for only a short-period of time, these employee accounts used SMS-based authentication. User accounts rely on TOTPs from Google Authenticator. The exceptions to policy appear to have to do with how third-party providers handled their accounts.

"...but there are situations where we couldn't fully enforce this on some of our providers since there are additional "SMS reset" channels that we can't opt out of via account policy. We've since resolved this," the engineer wrote in a comment to the original post.

Don’t pick on Reddit for its security decisions.

Two-factor authentication refers to taking an extra step beyond entering a password when logging in. That second step can take different forms, such as plugging in a hardware security key, entering a one-time password generated by a mobile app (TOTP), sending a notification to a mobile app, or receiving OTPs over SMS or phone call. SMS-based authentication is straightforward, as it doesn’t require the user to install an app or some kind of software token and the organization doesn’t have to figure out how to distribute hardware tokens to all the users.

The entire point of having two-factor authentication is to require the user to combine something you know (the password) with something you have (the phone). SMS-transmitted OTPs are vulnerable to social engineering attacks because the attacker attempts to take over the phone number. You may still have your phone, but you don’t get your messages because you don’t have control over your phone number.

There are several well-documented instances of attackers calling the cellular provider or going into a retail store and social engineering customer support into switching the phone number to a different SIM card. Using the phone number as a form of identity can be unreliable.

This kind of social engineering seems to be more prevalent in the United States than Europe, where there are much more stringent checks on verifying that the person requesting the phone number change is really the owner of the number. Even so, there are other ways to take over the phone number, such as brute-forcing the password on the mobile account because the subscriber used a weak password or reused one from another site. There are also weaknesses in the SS7 routing protocol used by carriers to ensure interoperability that can be exploited.

There are always tradeoffs in security, and this case shows the pitfalls of this particular decision.

“We learned that SMS-based authentication is not nearly as secure as we would hope, and the main attack was via SMS intercept. We point this out to encourage everyone here to move to token-based 2FA,” the engineer wrote.

Don’t pick on Reddit for its security decisions. Yes, the company was using a mechanism that security experts have warned as being vulnerable and that NIST stopped recommending. But sending OTPs over SMS is arguably one of the most commonly used two-factor authentication schemes. It isn’t alone in deciding that this form of authentication was good enough for some of its accounts.

Major banks, consumer finance services, and social apps tend to offer SMS-based authentication, although many payment apps and email tools rely more on software-token based authentication, according to a very comprehensive list maintained on twofactorauth.org. As more users adopt mobile apps such as Google Authenticator or Duo, more sites will start offering software-based tokens. However, many sites still offer SMS as a backup option when more secure methods are not available.

It’s the age-old challenge of balancing strong security with supporting users when they make a mistake. Or in Reddit’s case, working with other providers. Pure security isn’t practical. There are always tradeoffs in security, and this case shows the pitfalls of this particular decision.

With the Reddit breach, there’s a choice: Shout “SMS is bad!” and criticize organizations for using that scheme anyway, or design an environment that considers alternatives and additional layers or protections to properly support real-world use cases.

The type of two-factor authentication being used matters. Yes, something is better than nothing, but it’s important to think about the levels of security being used. Sites that allow SMS- or call-based two factor authentication as a fallback, or as the only method of authentication, now have a clear example of what can go wrong. This is an opportunity to make things better for the entire authentication ecosystem.