Philipp Markert, Florian Farke, and Markus Dürmuth

View The Email to Get Hacked:Attacking SMS-based Two-Factor Authentication

Santa Clara, California, USA | WAY 2019 | August 11, 2019

1

Two-Factor Authentication

1 2

1

2FAAdoption

Gmail Confidential

Mode

Attacking Google’s

2FA

Are there alternatives?

3

2FAAdoption

analyzed top 100 websites

75 left

57 left

31 offer 2FA

25no login

18duplicates

26no 2FA

* Le Pochat et al. Tranco: A Research-Oriented Top Sites Ranking Hardened Against Manipulation. NDSS ’193

*

31 websites offer 2FA

25 (81%)

7 (23%)

4

24 (77%)

Gmail Confidential

Mode5

6

7

8

Email

Tonight’s door code:

long long short long

9

Link

Tonight’s door code:

long long short long

https://confidential-mail.google.com/msg/...

10

Link

Tonight’s door code:

long long short long

11

2FA Confidential Mode

12

Attacking Google’s

2FA

alice@gmail.compw: wonderland

12

13

1. Email

13

1. Email

https://confidential-mail.google.com/msg/…

https://confidential-mail.oscar.com/msg/...

13

1. Email

4. 6. G-123456

3. Login

13

1. Email

5. G-1234562.

Confidential Mode

14

Are therealternatives?

14

1. Improve the text of the SMS

2FA

ConfidentialMode

14

1. Improve the text of the SMS

14

1. Improve the text of the SMS

15

2. Use a Software Token

3. Use a Hardware Token

16

31 websites offer 2FA

25 (81%)

7 (23%)

24 (77%)

alice@gmail.compw: wonderland

Philipp Markert, Florian Farke, and Markus Dürmuth

View The Email to Get Hacked:Attacking SMS-based Two-Factor Authentication

Santa Clara, California, USA | WAY 2019 | August 11, 2019