Despite what many believe to be a major inconvenience, multi-factor identification has long been recognized as an effective method of lessening the impactof a potential breach on end users. Even if a user’s password is compromised, for example, their account remains safe. And, up until now, this extra step could be delivered to an end-user via SMS such as when a random passcode is sent to an end-user via SMA whenever they log into their email or bank account. But, if the US National Institute of Standards and Technology (NIST) has anything to say about it (and they do), that will soon be a thing of the past.
NIST has come out in its Digital Authentication Guideline draft calling for the abolishment of SMS two-factor authentication (SMS 2FA), saying it is inherently unsafe and vulnerable to hacking in cases where the user provides a Voice over Internet Protocol (VoIP) number rather than a mobile number. NIST goes on to say that in the event that two-factor authentication must be carried out via SMS, verifiers MUST “verify that the pre-registered telephone number being used is actually associated with a mobile network and not with a VoIP (or other software-based) service. It then sends the SMS message to the pre-registered telephone number."
NIST’s guidelines not only make sense but are long overdue. We have long advocated that SMS One-Time Passwords (OTP) are not secure because there is no visibility into which device the passcode is being sent, and also because SMS OTP rely on the security of the phone and carrier infrastructure, which is typically not very secure. Hackers have taken advantage of this fact as evidenced by numerous attacks that have been reported where SMS malware--such as Euro Grabber—hijacked the end-user’s device. Australian Telco as far back as 2012 declared SMS unsafe for banking transactions. Up until now, US agencies such as the Federal Financial Institutions Examination Council (FFIEC) have not clearly made a strong move against SMS, leaning more on the safe side by recommending multi-layer authentication. With NISTS’s new guidelines, we finally have a clear message to move away from SMS. This is a big deal no matter how you look at it.
Interestingly enough, NIST is now addressing another concern with SMS -- the redirection of SMS to VoIP phones. NIST has great influence, influence that’s industry agnostic. Echoing NIST’s warning on SMS, the FFIEC recently updated its Retail Payment Services Handbook with an appendix on mobile financial services, warning about using SMS. I expect FFIEC will update its overall guidance soon enough to reflect the latest NIST advisory.
NIST’s draft SP 800-63 recommends that US government agencies begin investigating other authenticators, including biometrics. When looking to move beyond SMS OTP, the key is to look at solutions that provide visibility into the mobile device being used to authenticate the account. Push Notification or Mobile Tokens are a great alternative as each mobile device needs to be pre-registered before it can be used for authentication, something NIST clearly outlines with the need to pre-register and authenticate the phone number: “Changing the pre-registered telephone number SHALL NOT be possible without two-factor authentication at the time of the change. OOB [Out of band verification] using SMS is deprecated, and will no longer be allowed in future releases of this guidance.”
Biometrics can also be used, but as NIST guidelines mention, "Biometrics shall be used with another authentication factor (something you know or something you have),” confirming that biometrics combined with functionality such as a push-notification solution is a clear path to strong authentication.
Push authentication is a great complement for biometrics because it provides simple, single-tap authentication. This method is faster than entering a passcode and is ideal for online and mobile access with minor interruptions to workflow. In terms of security, it provides a safe and encrypted communication channel that is resilient against attacks, including those that seek to bypass OTP.
To learn more about effective multi-factor authentication, click here.