eBay asking users to switch from keyfob to SMS 2fa
eBay asking users to switch from keyfob to SMS 2fa

Investigative journalist Brian Krebs has said eBay has been asking readers to downgrade their security when logging into the website.

Krebs has shown a screenshot of the online marketplace asking a customer to downgrade from a token-generating keyfob to an SMS text as means of two-factor authentication.

eBay said:  “We're going to make 2 step verification more convenient by texting you a PIN instead of having you use your token.”

This could be seen as a move for convenience, helping those who might forget the fob but carry their phone everywhere they go.

However, the problem with this is that two-factor authentication has been proven to be highly insecure.

So much so that last year the United States National Institute for Standards and Technology (NIST) recommended it be abandoned.

NIST pontificated that two-factor authentication over SMS messages can be intercepted, making it possible for criminals to intercept the login code.

Krebs wrote: “I asked eBay to explain their rationale for suggesting this switch. I received a response suggesting the change was more about bringing authentication in-house (the security key is made by Verisign) and that eBay hopes to offer additional multi-factor authentication options in the future.”

Jon Oberheide, CTO and co-founder of two-factor authentication firm Duo Security told SC Media UK: “While we agree that there are stronger forms of authentication than SMS (such as push and U2F), we also need to consider adoption rates which are low. The keyfob is arguably more secure, but if virtually no one uses it there is little improvement in security.

“If several orders of magnitude more people adopt SMS, it will end up protecting more people even if it is technically a less secure mechanism. This is similar for when we look at mobile screen locks. While some will say fingerprint is less secure - it's easier - therefore more people will enable it versus a passcode. In other words, SMS-based two-factor authentication is better than customers using no two-factor authentication at all.”