Tell HN: SMS can be used to bypass Sendgrid’s 2FA

21 points by nde 3 years ago | 9 comments

A couple weeks ago, I signed up for Sendgrid to take advantage of their free email service. I always provide as little information as possible when signing up for new services, and I try my best to avoid providing my phone number. Luckily, I was able to get everything set up and maintain some level of privacy doing so.

Fast-forward a couple weeks: I go to log in to change one of my templates, and I get prompted to enable 2FA on my account. Thinking, “it’s kinda neat they make it this easy,” I click “Next”. Then, Sendgrid prompts me to enter my phone number so that in case I lose access to my 2FA device, they can send me a one-time code via SMS…

In other words, SMS can be used to bypass the 2FA you set up with Sendgrid. After going back and forth with their customer support team, it looks like providing your number is the only way to enable 2FA and unless you enable 2FA you can not log into your account…

Normille 3 years ago |

This is a bit vague, as I can't remember which site it was. I think either eBay or PayPal. But...

a while back I visited one of those 'send a 2FA code to you via SMS' websites and, not noticing the SMS bit, I entered a 2FA code from my phone's authenticator app as the number I'd been sent by SMS --which worked to let me in.

When the actual SMS 2FA code arrived on my phone a few mins later [crap phone signal here] I noticed it was the same code. So it seems like at least one site is just forwarding you the same code your authenticator app would generate, as an SMS. I'm not sure of the security implications of that --if any.

I've also noticed that, quite often when I check verious bank and credit card accounts, one after the other, the 'please enter the Xth, Xth, Xth and Xth numbers from your security code' prompt is asking for the same numbers, on each bank's site. Which strongly suggests a load of separate banks are using the same centralised security prompt generation --which sounds like a bad case of 'single point of failure' to me.

joshxyz 3 years ago | |

the problem is sms can be sniffed / mitm attacks.

simondanerd 3 years ago |

PayPal has a similar problem: https://medium.com/@jewbixcube/paypal-allows-bypassing-two-f...

nde 3 years ago |

I feel like my biggest peeve with this whole situation revolves around a lack of choice on the user’s end, with (presumably) the goal of hardening security. And, then not doing the research to ensure the choices made are actually the most secure.

The more cynical reason might revolve around getting access to your phone number, but we’ll give the benefit of the doubt and say that’s not the case.

In my opinion, websites offering 2FA should give users a choice to pick between: - Security Key (with Backup Codes you can store offline or SMS) - Authenticator App (with Backup Codes you can store offline or SMS) - SMS - No 2FA

If I want to choose a less secure method for 2FA or backup codes, that should be my choice but clearly communicated.

hayyyyydos 3 years ago |

Last time I checked (~6 months ago), when you're logging in and it asks to verify a mobile 2FA code, the mobile number it's sent to is actually returned to the browser in the response...

curiousgal 3 years ago |

And how do you suggest you regain access to you account when/if you lose your 2FA device?

adamckay 3 years ago | |

Backup codes can be generated at setup and displayed to the user (and never displayed again) which can log you in so you can reset your MFA device.

Google does this.

rat9988 3 years ago |

SMS 2FA is a form of 2FA.

ezekg 3 years ago | |

An insecure form of 2FA.