INFO5301 NIST Digital Identity Guidelines
10.3 Assume that Mobi Health is a government-initiated mobile app to register for health
services from hospitals in Australia. Using this app patients can connect to their nearest
hospital and access different services such as get appointments for OPD, specialists, dental
services etc. Following the recent security incidents, app providers concluded that SMS-
based authentication (i.e., when signing in or signing up to the app) has many security
vulnerabilities. Name three alternative methods for SMS authentication that can be used by
Mobi Health app with a brief explanation of their working process. [6 marks]
Answer:
1. End-to-end encrypted SMS. Multiple solutions looked into the possibility of providing
end-to-end encryption of the SMS channel for delivery of SMS messages including OTCs
that are otherwise sent in plain text. For example, Saxsena et al. [1] proposed EasySMS,
which generates a symmetric key between the transmitting and the receiving parties of the
message with the help of the HLR (Home Location Register) and a Certificate Authority
that stores subscriber information. The threat model this solution targets mainly includes
man-in-the-middle attacks (MITM). Nonetheless, end-to-end encryption does not necessar-
ily solve many of the current security vulnerabilities of SMS authentication. For instance,
attacks such as SIM-swap and Mobile Number Port-out can still happen as SMS authentica-
tion will still be based only on the content of one SMS sent to a mobile subscribe unit.
[1] N. Saxena, and N.S. Chaudhari, “EasySMS: A protocol for end-to-end secure transmis-
sion of SMS,” IEEE Transactions on information forensics and security, 2014.
2. Communication over third party apps. WhatsApp is offering the possibility of facili-
tating MFA as an alternative to the SMS channel via their own SDK [2]. With its end-to-
end encryption capabilities and broad (if by no means universal) usage, OTC delivery over
WhatsApp is an attractive potential alternative to SMS authentication. Nonetheless, its se-
curity implications need to be thoroughly analysed before any commercial use as attack
vectors are unclear for such a setting (e.g. how easy is to spoof a WhatsApp account or trick
a user to reveal the OTC through social engineering). And despite the huge number of users
that WhatsApp has attracted, it has nowhere near the same universal usage as traditional
SMS that is available to every mobile phone user.
[2] S. Scrivens, “Soon you can use WhatsApp to receive two-factor authentication codes.”
https://reclaimthenet.org/whatsapp-2-factor-authentication-codes/, 2019.
3. Telco APIs. Measures are being considered to defeat certain types of known attacks
against SMS authentication, including SIM- swap and mobile number port-outs. In some
countries, telcos have opened additional APIs for frequent users of SMS authentication such
as banks, so that additional security measures can be taken if a customer has recently done
a SIM swap or a number port out [3,4].
[3] J. Owino, “Financial firms to benefit from Safaricom’s anti-fraud system.” https://www.capitalfm.co.ke/business/2019/06/financial-
firms-to-benefit-from-safaricoms-anti- fraud-system/, 2019.
[4] A. Colley, “Telcos, banks to fight phone hijacking crime gangs.” https://www.afr.com/technology/telcos-
and- banks-combine-to-fight-mobile-phone-hijacking- crime-gangs-20190531-p51tbg, 2019.
4. Third Party Authentication Apps.
There are a large number of authentication apps available today. One of the best examples
are University of Sydney multi-factor authentication via Otka.
Information Security Management Page 8of 9