For a decade, eBay customers who wanted extra-strong security have been able to use two-factor authentication (2FA) involving a Verisign-manufactured key fob that generated a unique six-digit code only the user would see. As we complained last year, setting up 2FA on eBay has never been a piece of cake. But those concerned about the growing risks of SMS-based 2FA have welcomed the option of using a separate “hardware token”. (And people aware of such concerns tend to be more capable of acquiring and setting up such a contraption.)
Now, however, eBay’s hardware 2FA option is going away.
KrebsOnSecurity reports that eBay is asking key fob users to start receiving their 2FA security codes via SMS text message instead. As Brian Krebs writes, “eBay, which at one time was well ahead of most e-commerce companies in providing more robust online authentication options, is now essentially trying to downgrade my login experience to a less-secure option”.
Krebs found eBay’s timing ironic: security experts at the US National Institute for Standards and Technology (NIST) recently began actively discouraging the use of SMS-based 2FA in government systems:
NIST said one-time codes that are texted to users over a mobile phone are vulnerable to interception… thieves can divert the target’s SMS messages and calls to another device (either by social engineering a customer service person at the phone company, or via more advanced attacks like SS7 hacks).
NIST says using the public switched telephone network to deliver an authentication code via SMS or voice “is being considered for removal in future [guidelines]”. But organizations that must do so should take multiple precautions, and
SHALL verify that the pre-registered telephone number being used is associated with a physical device. Changing the pre-registered telephone number SHALL NOT be possible without two-factor authentication at the time of the change. Verifiers SHALL use known and verifiable routes to deliver the secret, for example, by using Class 2 SMS. Verifiers SHOULD be aware of indicators such as device swap, SIM change, number porting, or other abnormal behavior before using the PSTN to deliver an out-of-band authentication secret.)
(You can check out NIST’s latest draft digital identity guidelines yourself. Through March 31, you can also comment on them through GitHub before they become official. Occasionally it’s a good thing the government’s listening to you!)
eBay certainly isn’t the only company that has sought to move away from hardware tokens, which traditionally had a reputation for being costly to provide and manage. (Though, as Network World notes, recent innovations may be making them somewhat more appealing.) It’s also worth mentioning the ongoing debate about whether any form of authentication truly qualifies as a second factor if it’s delivered via the same device you’re using to access secure resources.
eBay told Krebs it is:
… constantly working on establishing new short-term and long-term, eBay-owned factors to address our customer’s security needs… We look forward to sharing more [2FA options when they’re] ready to launch.
That suggests eBay plans to offer choices that limit their payments to third parties. Perhaps a smartphone app (similar to Sophos Authenticator)? Or biometrics? Or both, or something else? For now, if you’ve already got a hardware fob, Krebs says it still works – for now. And if you’re not using 2FA at all, eBay’s SMS-based 2FA is still much better than nothing.
Magyver
Bill, does this only present a security issue with those who buy from Ebay on a smart phone device?
I do all internet transactions on my home network computer. Am I still OK?
Micah Henning
This could be argued to be a pursuit in semantics, but I think it’s important to note that eBay doesn’t actually use 2FA at all. They use two-step authentication. In order for there to be MFA, more than one factor must be presented simultaneously in the same authentication step. On eBay, and loads of other websites, a user will authenticate with their password first. If it’s correct, they’ll be asked for the second factor, if their account is configured to use it. That’s two separate steps. If you’re presented with the second factor screen, you know that the password you used was correct. In a true MFA implementation, you can’t know the password was correct unless the second factor is also correct.
Paul Ducklin
That’s not strictly true – 2FA doesn’t have to verify both factors at the same time to have two factors. For example, when you use an ATM, there’s something you have (a card) and something you know (the PIN). If the card is invalid, the machine will spit it out. It won’t get as far as asking for your PIN.
I think the reasons that 2FA is commonly called “two-step verification” instead are [a] often there aren’t quite two factors, for example when you are logging in on a mobile browser that’s the same device that receives the SMS, so there are definitely two steps but not really two “factors”, more like one-and-a-bit; [b] two-step is more self-descriptive and less jargonny, so it’s a neater term to use; [c] 2FA got concertually tied up with token-based authentication, which makes some users think of carrying round 13 hardware dongles, and therefore has a vaguely negative flavour.