eBay, one the most popular online marketplaces, is reportedly asking its users to sacrifice security for convenience on their accounts by ditching a popular method of two-factor authentication in favour of text-based sign-ins, according to cybersecurity expert Brian Krebs.
In a blog post this week (22 March), Krebs revealed how he received a worrying email from eBay. It stated: "We're going to make two-step verification more convenient by texting you a Pin instead of having you use your token. All you need is a mobile device."
The problem? It has become a widely-held belief in the cybersecurity world that two-step authentication via text message is weaker than other forms of account verification. Experts have said login codes sent using this method may be intercepted and stolen.
There are two main types of security verification: two-step and two-factor. Despite often being used interchangeably, each has subtle differences. Both, however, contain a mixture of something you know (password), something you have (USB security key) and something you are (fingerprint).
Two-step is perhaps the more common of the two, with online services sending a multi-digit SMS code to a phone before permitting access an account. Two-factor, however, bolsters security even more by needing a physical piece of hardware (something you have) to work.
As Krebs noted, the National Institute of Standards and Technology (NIST) recently released a research paper criticising SMS-based verification. It revealed that codes sent this way may be "intercepted by [an] attacker by compromising the communication channel."
A spokesperson for the online retailer indicated the changes were made as the company is aiming to move away from third-party options to produce its own "in-house" verification tools in the future. Previously, PayPal, then part of the same company, sold its own hardware fob for $5 (£4).
A statement read: "Our product team is constantly working on establishing new short-term and long-term, eBay-owned factors to address our customers' security needs.
"To that end, we've launched SMS-based 2FA as a convenient 2FA option for eBay customers who already had hardware tokens issued through PayPal.
"eBay continues to work on advancing multi-factor authentication options for our users, with the end goal of making every solution more secure and more convenient. We look forward to sharing more as additional solutions are ready to launch."
For his part, Krebs said he wouldn't be ditching his trusted hardware key fob.
'Better than nothing'
While it could be painted as a bad move in terms of security, not everyone agrees. Jon Oberheide, chief technology officer at Duo Security, told SC Magazine: "While we agree there are stronger forms of authentication than SMS we need to consider adoption rates, which are low.
"The key fob is arguably more secure, but if virtually no one uses it there is little improvement in security. If several orders of magnitude more people adopt SMS, it will end up protecting more people even if it is technically a less secure mechanism."
He added: "SMS-based [...] authentication is better than customers using no authentication at all."