Speaking at the RSA Conference in San Francisco, cybersecurity experts Aaron Turner and Georgia Weidman discussed two-factor authentication and biometrics as means to securing one’s phone. Although they concur that the two-factor authentication is the way to go, there are certain caveats.
Authenticator apps like Google Authenticator generally provide better security than SMS-based schemes, however, they are only as good as the devices running them.
iOS v. Android — safest phones
Turner also dispels the myth that iPhones are more secure than Android devices and warns against iPhones that run anything but the latest iOS 13. Amongst android smartphones, he praises Pixel devices, and shares that he has “had good experiences with Motorola and Nokia Android One devices”
"iOS is still good, but Android's SELinux is the bane of my existence as someone who's building exploits," noted Weidman. Turner echos this sentiment:
"We charge three times as much for an Android pentest than we charge for an iOS one,"
Stop buying Samsung phones
Also, Turner had some strong opinions about Samsung:
“Karsten Nohl showed that Samsung was faking device updates last year. Stop buying their stuff."
To be fair to Samsung, the authors of the study cited by Turner, later admitted that some of their findings weren’t accurate.
Biometrics — finger/print
Neither expert is a fan of biometrics. Weidman acknowledged that fingerprint readers and facial recognition are "better than nothing when used in addition to passwords."
However, Turner was more skeptical "I am fundamentally opposed to using biometrics because it's non-revocable," citing a case when a gang cut off a man’s finger to gain access to his car that was fingerprint-protected, “fingerprint readers are biometric toys."
According to Turner, the only two-factor authentication method without discovered security vulnerabilities is a hardware security key.
As crypto companies and crypto applications have become some of the most attractive targets for hackers and regular criminals alike, it is essential that everyone applies best practices to secure their digital assets.