Those Pesky Six-Digit Codes in Text Messages from Your Bank

On my phone, I have a text message that says:

Fr. MegaBigBank: Don’t share this code. We’ll never call or text you for it. Your SuperSecret code is: 123456. It expires in 10 mins.

While I changed the bank name and the marketing buzzword for the authentication code, I’m sure we’ve all been annoyed by these messages. Yes, you already logged into MegaBigBank’s website with your username and password. But now, you need to type the code into a screen on a website or a validation page in an app on our phones.

Annoying, isn’t it?

The problem is that there have been so many identity theft data breaches that MegaBigBank can’t be sure your username and password weren’t compromised someplace else on the Internet. Are you really you or some hacker who’s stolen your identity? The text message code displays on your phone, and you’re holding it. So, you must really be you.

Hi, I’m Bob

When you meet someone new, common Western practice has you extend your right arm as you say, “Hi, I’m Bob,” and offer to shake hands. You’ve just identified yourself. Sometimes, you have to corroborate that identity. A bank teller, for example, may ask you for a legal ID before withdrawing money from one of your accounts. The teller needs to authenticate that you are really “you.”

Identification and Authentication happen in the real world all the time. When you log in to a website, you claim an identity called your username. But saying, “Hi, I’m Bob,” isn’t merely enough. You have to really back up the claim with a counter-check. Presuming that the password is secret and only you (and the website) know it, you authenticate yourself with the correct answer to the challenge. Say the right phrase - for example, “Rick Sent Me!” - and you’re admitted. If you give the wrong answer, you’re blocked. Sometimes, if you answer incorrectly, you’re banned for life - or locked out of the system.

We do this often and in many places. We also do this formally, such as logging into a computer or network or informally in common conversation.

Giving your name and corroborating it happens all the time. We take it for granted as part of life and social interaction. This is because we learn at a young age that anybody can say anything—even if it isn’t true. Someone can impersonate you. Without authentication, they can usurp your identity; others will believe the impostor.

Consider the following conversation:

Me: “Hi, I’m Bob. May I ask your name?”

Other person: “Nice to meet you, Bob. I’m Mergertroid Snagglepuss. Please call me ‘Merg?’”

Me: “Great to meet you as well. Do you know Donald?”

Other person: ”Of course! He always covers his Bill!”

Me: “I know Donald as well, but he’s not all he’s quacked up to be, sometimes.”

In this (admittedly glib) conversation, Merg and I exchange identities. Then, we use our shared knowledge of Donald to verify those names. Presumably, either of us could go back to Donald for a cross-check.

Talking to a friend about one-time codes sent in text messages

The inspiration for this blog was a conversation with a dear friend who was frustrated about a constant barrage of text messages with one-time codes. They are called “one-time” because the software never creates the same code twice. Once it’s used, it’s gone. For example, if you enter a one-time code into a website to authenticate, that code won’t be valid for authentication anymore. Consider that a six-digit number goes between zero and 999,999. That’s a million possibilities, each one generated randomly. The chances of getting the same code twice are incredibly tiny.

To understand why your doctor’s office just sent you a code by text message, you need to realize that authenticating with a passphrase - for example - isn’t enough. Someone could steal your username and password to log into the doctor’s app. But, if they didn’t have your cell phone to get a text message, they couldn’t answer the second “challenge.”

An attacker trying to steal your account might have your username and password. Because of all the data breaches over the last 25 (or more) years, hackers have access to vast lists of identities. If they gain access to one of your accounts - maybe you reused your password - they can perform an ATO or Account Take-Over. Without the text code, they would be blocked. Better yet, you’ll receive an unsolicited text message, which will serve as a warning sign.

Obviously, after you get this gratuitous text message, never give out the code to someone calling you—they are probably the hacker after the code! In fact, the text message will often instruct you never to give out the code.

I could, perhaps, see you standing with Donald and later pretend I also knew him. Unless you checked with Donald and they asked, “Who’s Bob?” you wouldn’t know. Without authenticating the authentication, I could impersonate (or spoof) a legitimate user.

Without authenticating the authentication, you risk someone breaking into your accounts, being conned, or worse.

So, you know your password. That’s one type of authentication, but someone could steal that information. A second factor—holding your cell phone to get a text message, for example—makes this impersonation much harder. The attacker would need to know your password and also have a way to get the code.

One-time codes complicate our lives and slow us down, but it also protects us from cybercriminals who would raid our bank accounts or pillage our medical records.

We call this Multi-Factor Authentication. In this case, it’s Two-Factor because you know your password and possess your cell phone. Because computer people are enamored with acronyms, we call this MFA or 2FA.

That’s why you get a text message with a one-time code.

Part of my friend’s issue is that everyone using 2FA sends the code differently. Sometimes, it will be a text message, while a different implementation might send an email. Not only is the code a pain to transcribe but finding it can even be difficult, especially for non-technical people or older adults. And we know that older adults are especially at risk of succumbing to scams.

Making matters even more complicated, some environments send a message directly to an app on your phone, bypassing text or email. Micros0ft’s Outlook EMail system and Google will use an app on the phone as an “authenticator.” In that case, you need to match the code on your phone with that on the screen to gain access.

A final issue—especially for my friend—is that the codes often expire quickly, adding urgency to a stressful situation.

So, Bob, why do we need 2FA?

Doing my best Rod Serling introduction to a TV show called “The Twilight Zone:”

Consider that you’ve created an account at a website with substandard cybersecurity. You had no way of knowing about the weak security and trusted the website. Looking back, you realize that was probably a mistake. When you created a new username and password, the website stored the latter insecurely. Consider, then, that hackers break in and steal your identity. They could, for example, log in as you because they have your authentication. From there, they could pillage your account. Or, worse, you used the same username and password at another website.  Once the hackers possess those, they can try to impersonate you at myriad places on the web. Cybersecurity professionals call this “Password Spraying,” and it’s been the cause of several recent high-profile data breaches. Different pass phrases mean you must remember each or learn to use a “password manager.”

2FA protects you because you use a second authentication factor. Hackers would need to know your password and have your actual cell phone. You’re effectively “authenticating the authentication.”

Our first line of defense is to use different passwords everywhere. In our fictitious Rod Serling quote, I mentioned “password managers.” These programs or services offer to “securely” store our passwords and provide them across the Internet. Hackers have breached many of these password manager services, which revealed your identities and authentication anyway - I’m not a fan.

MFA then gives us an added level of protection at the cost of convenience.

There are two elements of good news when 2FA is used with numeric codes. First, modern Apple and Android phones will often transcribe the number for you and automatically fill it in on the app that needs it. The other aspect is that the numbers break into “chunks,” making dealing with a large number easier. To give you three examples:

•          A food app I use sends 5-digit codes, which become 2-plus-three-numbers: 12 345.

•          Most websites use a six-digit code that breaks into three-plus-three: 123 456.

•          One US Government website I frequent uses an 8-digit number. You guessed it - four-plus-four: 1234 5678.

Identification and authorization are part of the picture

There are really four components at play here;

✓        Identification is saying who you are. We have lots of identities. For example, the name on my driver’s license somewhat differs from what’s on my passport. We take this for granted with acquaintances who use their middle names or women professionals who use their maiden names. Actors and other public personalities use stage names; authors often write under a Nom de Plume.

✓        Authentication—Making a claim to an identity is fine, but you need to prove it. Further, you may need to authenticate the authentication. This can be strict, as in the case of the Transportation Security Administration requiring an exact match between the name on your ticket and that on your ID. Or, it can be loose, and we understand a nickname can take the place of a formal name.

✓        Authorization - After you’ve identified and authenticated, what can you do? For example, if you’ve been in an online conference, you know that people are hosts or guests - the latter is just a participant while the former runs the meeting. A meeting host can invite others, eject someone, or end the session. Meeting guests cannot do these things because they aren’t authorized to do so. For most things in life, we take this “Authorization” as part of our course of business. The teller at the bank can manipulate more of your account than you can because they are “authorized.”

✓        The last step is called “Accounting” or “Auditing.” Almost all modern systems keep logs of most or all activity. Cybersecurity professionals use this to monitor for malicious activity and determine what happened after discovering an incident. If you’ve ever gotten a text message from your bank about suspicious activity, be thankful for this last capability.

Cybersecurity professionals call this the IAAA Model. It gives us trustworthiness and accountability. As a side effect, we also get a high level of trust that someone isn’t being impersonated (authenticating the user or perhaps the person sending a message) and that they can’t deny their actions (called non-repudiation).

Sometimes, you only authenticate

Using Wi-Fi, best practices say all wireless networks need to be protected with a passphrase and encryption. In fact, with the 6th and 7th generation Wi-Fi standards, there’s no such thing as an unencrypted connection.

You only authenticate when you present a passphrase to connect to a Wi-Fi network. Unless the network engineers have implemented so-called “Enterprise Mode,” you don’t need to identify yourself to use a Wi-Fi network. Knowing the network name and the passphrase indicates that you may legitimately access the Wi-Fi. Since there’s nothing secret about the network name, protecting the passphrase becomes really important.

2FA works here as well. Several years ago, I taught an onsite class at a defense contractor’s location. They authorized me to use the guest Wi-Fi for the week. I connected to the wireless network using the passphrase, and I also needed to enter a username, password, and phone number on a web page before proceeding.

There are lots of authentication factors

Historically, cybersecurity professionals have discussed three types of authentication. There are many more and, in 2024, we see at least three others.

The three classic authentication factors are:

•          Knowledge is something you know. That’s undoubtedly stating the obvious, but Passwords and Personal Identification Numbers (PINs) are great examples. Your password can be yours forever if you keep it secret (and don’t reuse it in multiple places). There’s an old phrase attributed to Benjamin Franklin: “Three people can keep a secret if two of them are dead.” Cybersecurity professionals call this “Type-1” Authentication.

•          Possession. Having something tangible can authenticate you. Credit cards and so-called “Smart Card” IDs can serve this purpose. For example, you might tap your credit card at the grocery store’s payment terminal. Holding the credit card or using tap-to-pay authenticates you. Someone without your credit card or phone couldn’t steal your payment information. Google, eBay, gaming websites, and some banks encourage using hardware tokens - physical devices you keep on your keychain and plug into a USB port when you want to authenticate. Think of a token like the keychain loyalty card you might have for your grocery store, except that this is akin to a key - it takes up room and needs to be plugged into a computer to work. We call this “Type-2.”

•          Biomechanics. Forgers can copy handwriting but cannot duplicate how a person writes. Likewise, I can take text and type it into a keyboard. Attackers cannot, however, copy the cadence of my typing style. Sherlock Holmes is famous for using walking (gait) analysis to solve crimes. You guessed it, this is “Type-3.”

A big note: Biometrics such as reading a fingerprint are not type-3 authentication despite people saying so in Internet documentation and cybersecurity training. The whorls and swirls of your fingerprint are a physical password, as are handprints and facial or eye recognition. Worse yet, you cannot change your password if you are compromised (say, drugged) or the authentication information is stolen. There is, for example, no feasible way to change your fingerprint.

Each of these mechanisms has failings:

•          Knowledge can be stolen, guessed, eavesdropped, or reverse-engineered. Once someone has your password, you are vulnerable. Don’t forget that spraying and password reuse raise the probability of a hacker's success.

•          Something you possess can be lost or stolen. Drop your credit card at the convenience store, and you’ve potentially just fed a homeless person.

•          People can be conned, coerced, bribed, or subverted in some other way into compromising biomechanical authentication.

This is where we truly see the strength of 2FA and MFA.

Applying modern authentication methods

In 2024, we see organizations start to use three more authentication mechanisms:

•          Location. Traveling to work with my laptop, I was pleasantly surprised by a message I saw on my bank’s website: “We don’t recognize your computer’s location, so we’ve sent a code to your phone. Enter it here…” followed by a text box on the screen. As an educated guess, my bank tracks my computer's Internet Protocol (IP) address and a web browser’s location. Move to a new location, and you’ll have a new IP address. My bank’s software saw me at a new location and decided to perform a 2FA challenge. I was impressed. Likewise, my eReader allows me to read any electronic book for as long as I please when I’m in the company’s store - I haven’t tried it.

•          Trust and Attestation. I’ve gotten several training engagements because an instructor wasn’t available and suggested, “Try Bob.” The client already had a relationship with the other trainer who vouched for me. Similarly, Merg and I leveraged our knowledge of Donald.

•          Time-based. We’ve already seen that the codes an organization sends you in a text message may expire. Similarly, you may only be able to use the work computer network during business hours.

Lots more

I suspect any list of authentication methods would be incomplete, but here are a few more types used in other situations:

•          Tokens—We’ve already mentioned the USB fobs one could keep on their keychain. But we’ve also had other kinds of tokens from companies such as RSA and Verisign. These often feature a small display window with a numeric code. Google, eBay, and Microsoft, among others, encourage token use. The user must apply the fob (however it works) and also enter the code in the display.

•          Out-of-band - A security issue recently occurred with one of my credit cards. Someone was trying to use my number to make purchases half a continent away from my location. When I called the number on the back of my card - never trust the information in a message from your bank because it might be fake - the agent on the phone asked me to answer personal questions before processing my fraud alert. All of this was independent of the technology I used and the fraud specialist authenticated me with information only I knew - such as my last successful purchase.

•          Attribute - If I started using my real first name instead of my nickname, my friends might react by asking, “Who?” Similarly, I’ve had the same email signature since 1981 - it’s a long story - but I sent a message to a friend without it. That prompted a phone call verifying if I was “OK?” Because I didn’t use my EMail nickname, my friend was worried about someone impersonating me - or worse.

•          API - That’s the acronym-speak for Application Programming Interface. If I use the website for my note-taking program, I am prompted for a username and password. That’s as expected. If, however, I open up the Windows program and select something from the “Help” menu, the web behavior is very different. My web browser opens to the “Help and Support” page for the program, with me already logged in because I connected starting in the Windows program. In other words, because I logged into the Windows note-taking program, it provided a proxy for web-based authentication. Using one of several distributed web login protocols (I don’t care which one,) the windows program logs me into the website for the note-taker I use. Since I authenticated within the Windows program, it uses that as a proxy for the support web pages.

•          Shared - Sometimes, an organization shares your Identification and Authorization across multiple services. Log in to Gmail, for example, and you can access your Google Photos service. Or, perhaps, a website may have you register your Facebook ID - then, the service doesn’t have to maintain its own IAAA. The advantage (possibly) is that you’ve logged into the shared authentication service, which works wherever that same service is used elsewhere. You need to decide if that’s a “good thing” or not.

Each of these has its strengths and weaknesses

Each of these authentication mechanisms has nuances and details. One could argue that token-based authentication is a variation of Type-2. Hackers can apply techniques to circumvent any of these systems individually. For example, an attacker could use a Virtual Private Network (VPN) to hide that they are in a hostile country.

Trust and attestation are based on person-to-person interaction. If someone misleads you or claims a false relationship, it undermines the strength of the authentication.

At the risk of repeating myself, one authentication factor isn’t enough. Often, two, in combination, suffice. As I mentioned earlier, my bank uses a combination of factors depending on their threat perception.

As much as 2FA and MFA complicate our lives and slow us down, they do the same for adversaries. Given the choice of an easy target or one that’s more challenging, the easiest choice often becomes a victim of convenience.

Mutual authentication

What we’ve discussed here is “one-way” authentication. In this method, we prove our identity to an external entity, such as a website or someone who demonstrates their authentication to us. We can also do this in both directions. Your bank’s website uses HTTPS - Hyper-Text Transfer Protocol Secured. Part of that involves a Digital Certificate issued by a trusted source that attests you are communicating to your bank. They have authenticated to you through trust. Then, you log in with a username and password, proving your identity.

The website presented me with a digital certificate containing an electronic signature from a “Trusted Root” authority. The website owners requested the certificate from the Trusted Root service. The trusted root performed its “due diligence” to ensure the site was authentic. Then, they issued the certificate that the website presented to me. Here’s where trust comes in: No matter which web browser I use (Edge, Safari, Chrome, Firefox, or a smaller brand,) I trust the program to display web pages to me safely and securely. In the parlance, “I trust my web browser.” It (the browser) contains a list of “Trusted Roots.” When one of these attests to an HTTPS website, I know that an impostor isn’t fabricating a fake web page because the certificate’s authentication verifies. We call this a Chain of Trust.

You can use this for one-way authentication like a lot of the discussion in this blog. I’ll tackle the details of Mutual Authentication at another time.

Proving who you are

Claiming identity is easy. History is filled with people who say they are historical or religious persons. According to The Guardian newspaper, a Texas man changed their name to “Literally Anybody Else” and is running for President of the United States. Mr. Else can even authenticate themselves because they possess a legal ID from a trusted source, namely the government of the State of Texas.

When we meet Merg, we need to know they are who they claim. Authentication gets us there.