With SMS OTP a one time password is sent to a mobile phone. The user is supposed to enter this one time password in addition to his static password. This way, the authenticating party thinks to verify, that the user is in the possession of the mobile phone.
This is a cheap way to establish two-factor authentication with something you know and something you have.
Several attack vectors for Two-Factor Authentication with SMS OTP
But lateley there are again some news about the vularability of OTP values sent via SMS. There are different attack vectors. In one scenario the attacker can reroute or “steal” the SIM card by doing social engineering at the telephone provider. In another scenario a malicious software is installed on the smartphone, that can sniff the OTP value.
Yes, privacyIDEA also supports sending OTP values via SMS and privacyIDEA is also vulnarable to these attacks – since it is the basic concept that lacks the necessary security.
Security is shades of grey — or white
But you might have heard that “there is no 100% security”. And that “security is a process”. And now I add to these idioms “Security is Shades of Grey”.
You gain security by using a password on your account to lock the desktop. But are you secure? You gain further security by adding a second factor during authentication. But is your data secure, now? You gain further security by encrypting the harddisk (a.k.a. your data) of your desktop. But is it secure?
Yes, it is good to use a password. You should not use none.
And yes, it is goot to use SMS OTP. It is better than to not use it. In certain cases it might be OK to use SMS OTP being aware of the possible risks.
But there are further steps or other possiblities to increase security.
Choice of Security Level
With privacyIDEA you have the choice, which security level you are going to use. And this may even depend on the application and the client.
You may use SMS OTP, Email OTP, Smartphone Apps like the Google Authenticator, hardware key fobs and seedable tokens like the Yubikey. Using privacyIDEA’s policy definitions, you can define which token type is allowed to be used for authentication at which application. This way you can accept the risk of using e.g. SMS OTP for low security applications and hardware devices like the yubikey for applications requiring higher confidentiality.
See the online documentation on policies for more information or come to the Google Group mailing list.
If you require any professional assistance you may contact the maintainer of privacyIDEA.
