Plenty of people out there are looking at ways of using mobiles for 2FA. Another initiative, securePay, was announced in the UK recently. I’m not sure why mobiles in general, and SMS in particular, aren’t used more already, especially when you consider the extent to which text messaging dominates the customer’s communications. Tomi Ahonen pointed me at the JD Power annual survey of 3,000 U.K. phone users and its amazing 2007 findings. First of all, remember that the U.K. is one of Europe’s leading mobile markets with almost 120% mobile phone subscriber penetration (European average penetration went past 100% last year), well above average mobile industry revenues, perhaps the world’s most competitive mobile market with four operators with near identical market share (Vodafone, O2-Telefonica, Orange and T-Mobile all have between 30% and 20% market share) and a fifth the start up Three/Hutchison growing fast and leading in the 3G space. The U.K. also has a most vibrant MVNO market with Virgin Mobile. UK SMS text messaging usage levels have been near the European lead every year since. Now let’s look at the figures. Voice calls by prepaid customers fell by 28% last year, by postpaid customers fell by 22%. But text messaging was up 43% and the average U.K. mobile user now sends six per day. The European average is less than two per day, and the American average less than one-half day. Tomi says that American SMS usage per subscriber follow almost exactly the U.K. usage with a four year lag
With the customers’ revealed preference for text messaging, I think there’s plenty of mileage in using SMS 2FA (either in vanilla SIMs or with a SIM Toolkit enryption/authentication application) not just to secure the transactions that are targeted by current 2FA (eg, home banking, corporate VPN) but in more general use. SMS 2FA is extremely cheap, and extremely effective. It needs virtually no consumer education and when used in a simple way (ie, when you try and log in to your bank, they send you a “token” by text) would make an impact on a range of attacks. And, crucially, it is not subject to the man-in-the-middle attack that is the Achilles’ Heel of token authentication.
My opinions are my own (I think) and are presented solely in my capacity as an interested member of the general public.
[posted with ecto]