eBay to ‘downgrade’ verification by switching to SMS

For a decade, eBay customers who wanted extra-strong security have been able to use two-factor authentication (2FA) involving a Verisign-manufactured key fob that generated a unique six-digit code only the user would see. As we complained last year, setting up 2FA on eBay has never been a piece of cake. But those concerned about the growing risks of SMS-based 2FA have welcomed the option of using a separate “hardware token”. (And people aware of such concerns tend to be more capable of acquiring and setting up such a contraption.)

Now, however, eBay’s hardware 2FA option is going away.

KrebsOnSecurity reports that eBay is asking key fob users to start receiving their 2FA security codes via SMS text message instead. As Brian Krebs writes, “eBay, which at one time was well ahead of most e-commerce companies in providing more robust online authentication options, is now essentially trying to downgrade my login experience to a less-secure option”.

Krebs found eBay’s timing ironic: security experts at the US National Institute for Standards and Technology (NIST) recently began actively discouraging the use of SMS-based 2FA in government systems:

NIST said one-time codes that are texted to users over a mobile phone are vulnerable to interception… thieves can divert the target’s SMS messages and calls to another device (either by social engineering a customer service person at the phone company, or via more advanced attacks like SS7 hacks).

NIST says using the public switched telephone network to deliver an authentication code via SMS or voice “is being considered for removal in future [guidelines]”. But organizations that must do so should take multiple precautions, and

SHALL verify that the pre-registered telephone number being used is associated with a physical device. Changing the pre-registered telephone number SHALL NOT be possible without two-factor authentication at the time of the change. Verifiers SHALL use known and verifiable routes to deliver the secret, for example, by using Class 2 SMS. Verifiers SHOULD be aware of indicators such as device swap, SIM change, number porting, or other abnormal behavior before using the PSTN to deliver an out-of-band authentication secret.)

(You can check out NIST’s latest draft digital identity guidelines yourself. Through March 31, you can also comment on them through GitHub before they become official. Occasionally it’s a good thing the government’s listening to you!)

eBay certainly isn’t the only company that has sought to move away from hardware tokens, which traditionally had a reputation for being costly to provide and manage. (Though, as Network World notes, recent innovations may be making them somewhat more appealing.) It’s also worth mentioning the ongoing debate about whether any form of authentication truly qualifies as a second factor if it’s delivered via the same device you’re using to access secure resources.

eBay told Krebs it is:

… constantly working on establishing new short-term and long-term, eBay-owned factors to address our customer’s security needs… We look forward to sharing more [2FA options when they’re] ready to launch.

That suggests eBay plans to offer choices that limit their payments to third parties. Perhaps a smartphone app (similar to Sophos Authenticator)? Or biometrics? Or both, or something else? For now, if you’ve already got a hardware fob, Krebs says it still works – for now. And if you’re not using 2FA at all, eBay’s SMS-based 2FA is still much better than nothing.