Is tokenless (specifically SMS) 2FA a security compromise over OTP tokens?
a) Is tokenless 2FA (particularly SMS based) a security compromise over traditional tokens?
Yes SMS is better than just a password but the weakest of the forms of 2FA.
The main security risks are:
- Number redirection
- Phone stolen
- Transaction performed on the phone. This is a major one with the growth of smartphones and tablets capable of receiving iMessage type messages
Also like you said the operational considerations:
- SMS coverage. The options you stated such as sending two codes or a day code reduce the strength of the one time password as it is valid for a lot longer period and thus providing a greater window for compromise
- Cost of sending the SMS, especially if you need to send internationally
- Require battery
That said it is still the most convenient for users because:
- Most people have a phone capable of SMS and carry it with them always.
It also has a security benefit in that:
- users are far more likely to notice a missing phone rather than a missing token
- if the seed file and/or algorithm is compromised (e.g. RSA breech) it is far easier to replace a fleet of soft tokens or change the SMS OTP seed file and algorithm rather than a fleet of hard tokens
b) Are physical tokens still popular just because they're tried and tested, with companies like RSA trading on the reputation they've established, or is there still an objective case for sticking with physical tokens?
There is a objective case as they provide a fit depending on your threat model.
Of course there is also change resistance. Large companies that have deployed hard token infrastructure, deployed tokens, trained their users have to build a business case for the project not just that say SMS or soft tokens are cheaper and more convenient. Although with the RSA breach for example I know of quite a few companies that took the opportunity to move to soft tokens.
c) Have people found that SMS based 2FA is impractical for regular users and found themselves deploying physical tokens to those users?
The only times I have heard this are:
- A significant enough population of users do not have phones or phones capable of soft tokens and the company cannot be seen to discriminate
- Users are already trained in using hard tokens
- Users already have a hard token and it is easier to re-use than deploy and train for SMS
- International users and the cost of sms or difficulty sending local sms is prohibitive
d) Are the solutions such as "day use" codes and multiple codes in a single SMS much of a security compromise compared to the default of single codes being sent and stored in an SMS?
Yes as they reduce the strength of the one time password as it is valid for a lot longer period and thus providing a greater window for compromise
e) For users of smartphones, is it a no-brainer to deploy soft tokens rather than rely on SMS based 2FA?
Not necessarily. A threat model still needed, a soft token still can be compromised more easily than a hard token. Smart phones are computers, they can still get malware, applications can gain access to your seed or OTP and transmit it elsewhere.
Also the operational considerations mentioned above. If it is a mining environment is a hard token that needs a new battery every few years and is more resistant to dirt, variation in temperature, liquids going to be better?
f) Can anyone direct me to some appropriate literature that I should be reading to really get a feel for some of the above issues?
Oldie but a goodie: http://www.isaca.org/Journal/archives/2007/Volume-3/Pages/Analyzing-the-Security-of-Internet-Banking-Authentication-Mechanisms1.aspx
a) Is tokenless 2FA (particularly SMS based) a security compromise over traditional tokens?
You could say that SMS and mobile phones are less secure as a medium. Companies like RSA often point out the weaknesses, but remember that RSA is obviously biased. Of course, RSA itself has shown us that token-based solutions are also vulnerable to compromise.
There are arguments for sms-based tokens being more secure. As I mentioned, a hardware token has a fixed algorithm that may potentially be compromised and reproduced without the user ever knowing. However, a SMS token doesn't have to follow any predictable algorithm; the code can be completely random. Furthermore, SMS tokens may have some benefits when it comes to repudiation (or non-repudiation) because the physical location of a mobile phone is tracked and one could go back and correlate that with a particular login.
Another thing is that an SMS code could also be effective in preventing a MITM or at least require it to be so elaborate that it would eliminate the feasibility of most of these attacks (a cool thing would be a SMS code combined with a soft token to be able to authenticate both the server and the client).
b) Are physical tokens still popular just because they're tried and tested, with companies like RSA trading on the reputation they've established, or is there still an objective case for sticking with physical tokens?
Physical tokens do have the benefit of being able to produce a code independent of any electronic channels that could potentially be snooped or otherwise compromised. They also have the ability of being standardized across a company, not requiring a device that could fail or a battery that frequently runs out, can be waterproof and more rugged in general. Some tokens such as the Yubikey must be plugged in to a USB port which verifies the actual existence of the token (but also requires an internet connection to authorize). Physical tokens can also be combined with proximity cards for physical access. And of course physical tokens such as smart cards may contain PKI certificates that can be used for other encryption or authentication purposes. So yeah there are benefits to them.
e) For users of smartphones, is it a no-brainer to deploy soft tokens rather than rely on SMS based 2FA?
Overall, I don't think you can argue that any of these techniques is significantly stronger or weaker than any other from a security standpoint (they all have their strengths and weaknesses). Either way, any token combined with a user password will greatly boost security.
On the other hand, there can be a huge difference in price, manageability, and support overhead between the different technologies.
If you do something like HOTP or TOTP you can use soft tokens, physical tokens, or even web-based tokens if necessary. I use google authenticator on my phone and I have six different tokens from different places. It is free and supports both HOTP and TOTP standards. But I also use a Yubikey for some accounts, the DIGIKEY token to login to PayPal, and SMS-based to login to facebook.