Secure Wallet 2FA with SMS

TL;DR

Adding two-factor authentication (2FA) via SMS to your wallet code improves security, but isn’t foolproof. This guide explains how to implement it and the risks involved. We’ll focus on practical steps and highlight potential vulnerabilities.

Implementing SMS 2FA

1. Choose an SMS Provider: Services like Twilio, Vonage (formerly Nexmo), or MessageBird provide APIs for sending and receiving text messages. Consider cost, reliability, and global coverage.
   • Sign up for an account with your chosen provider.
   • Obtain API keys – keep these extremely secure!
2. Install the Provider’s SDK: Use a package manager (npm, pip, etc.) to install the appropriate library for your programming language.

   npm install twilio --save

3. Generate and Store 2FA Tokens: When a user enables 2FA:
   • Create a random token (e.g., 6-digit number).
   • Store this token securely in your database, associated with the user’s account. Never store it in plain text – use hashing algorithms like bcrypt or Argon2.
   • Send an SMS message to the user’s registered phone number containing the token.

     const twilio = require('twilio');
     const client = new twilio(accountSid, authToken);
     client.messages.create({ 
       to: '+15558675309', // User's phone number
       from: '+14155238886', // Your Twilio phone number
       body: 'Your 2FA code is: ' + token });

4. Verification Process: During login:
   • Prompt the user for their password and 2FA token.
   • Retrieve the stored hashed token from your database.
   • Compare the entered token with the stored token (using a secure comparison function provided by your hashing library – do not directly compare hashes).
   • If the tokens match, grant access; otherwise, deny it.

     bcrypt.compare(enteredToken, storedHashedToken, function(err, result) {
       if (result) {
         // Tokens match - allow login
       } else {
         // Tokens do not match - deny login
       }
     });

5. Rate Limiting: Implement rate limiting to prevent brute-force attacks on the SMS verification process.
   • Limit the number of 2FA requests per user within a specific timeframe.
   • Consider IP address-based rate limiting as well.

Security Considerations (Hacks & Mitigations)

1. SIM Swapping: Attackers can port a user’s phone number to their own SIM card, intercepting SMS messages.
   • Mitigation: Encourage users to use authenticator apps instead of SMS 2FA. Offer multiple 2FA options.
2. SS7 Vulnerabilities: Signaling System No. 7 (SS7) is a protocol used by mobile networks, and it has known vulnerabilities that attackers can exploit to intercept SMS messages.
   • Mitigation: This is difficult to mitigate directly. Using authenticator apps or hardware security keys are better solutions.
3. SMS Interception Tools: Various tools exist that allow attackers to intercept SMS messages.
   • Mitigation: Again, encourage stronger 2FA methods.
4. API Key Compromise: If your SMS provider API keys are compromised, attackers can send verification codes for any user.
   • Mitigation: Store API keys securely (e.g., using environment variables or a secrets management system). Rotate keys regularly. Implement strict access controls to limit who can access the keys.
5. Database Security: If your database is compromised, attackers can steal stored hashed tokens.
   • Mitigation: Use strong encryption for your database. Implement robust access controls and regular security audits.

Important Notes

• SMS 2FA is more secure than no 2FA, but it’s significantly less secure than authenticator apps or hardware security keys.
• Always prioritize user education and encourage the use of stronger authentication methods.
• Regularly review your code for vulnerabilities and keep your dependencies up to date.