NIST is no longer hot for SMS-based two-factor authentication

SMS-based authentication is easy to implement and accessible to many users, but it is also insecure. Now NIST plans to drop it from its two-factor authentication guidelines

NIST no longer hot for SMS-based two-factor authentication
Michael Kan

Relying on passwords is no longer enough, and two-factor authentication is a necessary component to secure applications, networks, and systems. However, the most common kind of two-factor authentication -- sending special codes via SMS messages -- may no longer be an acceptable form.

In the latest draft version of its Digital Authentication Guideline, the United States National Institute of Standards and Technology (NIST) is discouraging companies from using SMS-based authentication in their two-factor authentication schemes.

Many services offer two-factor authentication by asking users to enter into the app or site one-time passcodes sent via SMS to verify the transaction. Concerned about the weaknesses in the SMS mechanism, NIST is now recommending that developers use tokens and software cryptographic authenticators instead.

 "OOB [out of band] using SMS is deprecated and will no longer be allowed in future releases of this guidance," NIST wrote in a draft version of the DAG.

Software companies follow the guidelines set by NIST in their applications since federal agencies aren't allowed to use applications that don't conform to NIST guidelines. This is especially relevant for secure electronic communications.

SMS-based two-factor authentication is considered an insecure process because someone other than the user may be in possession of the phone and would be able to trigger the login request. In some cases, the contents of the text message appear on the lock screen, which means the code is exposed to anyone who glances at the screen.

NIST isn't deprecating SMS-based methods simply because someone may be able to intercept the codes by taking control of the handset -- that risk also exists with tokens and software authenticators. The main reason NIST appears to be down on SMS is because it is insecure over VoIP.

There has been a significant increase in attacks targeting SMS-based two-factor authentication recently. SMS messages can be hijacked over some VoIP services. Security researchers have used weaknesses in the SMS protocol to remotely interact with applications on the target phone and compromising users.

A recent attack used social engineering to bypass Google's two-factor authentication. Criminals sent users text messages informing them that someone was trying to break into their Gmail accounts and that they should enter the passcode to temporarily lock the account. The passcode -- which was a real code generated by Google when the attackers tried to log in -- arrived in a separate text message, and users who didn't realize the first message was not legitimate would pass the unique code on to the criminals.

"NIST's decision to deprecate SMS two-factor authentication is a smart one," said Keith Graham, CTO of authentication provider SecureAuth. "The days of vanilla two-factor approaches are no longer enough for security."

NIST outlines the future of SMS-based authentication in the DAG. If the out-of-band verification is to be made via SMS message on a public mobile phone network, the verifier has to verify the phone number is on an actual mobile network and not associated to a VoIP or other software-based phone services. It should also not be possible to change the phone number receiving the SMS message without using two-factor authentication.

For now, applications and services using SMS-based authentication can continue to do so as long as it isn't a service that virtualizes phone numbers. Developers and application owners should explore other options, including dedicated two-factor app such as Google Authenticator, which uses a secret key and time to generate a unique code locally on the device for the user to enter into the application.

Hardware tokens such as RSA's SecurID display a new code every few seconds. A hardware security dongle such as YubiKey, used by many companies including Google and GitHub, supports one-time passwords, public key encryption, and authentication. Knowing that NIST is not very happy with SMS will push the authentication industry towards more secure options.

Many popular services and applications offer only SMS-based authentication, including Twitter and online banking services from major banks. Once the NIST guidelines are final, these services will have to make some changes.

Many developers are increasingly looking at fingerprint recognition, especially since the latest mobile devices have fingerprint sensors. Organizations can also employ adaptive authentication techniques, such as layering device recognition, geo-location, login history, or even behavioral biometrics to continually verify the true identity of the user, Graham said.

NIST acknowledged that biometrics is gaining steam as a method for authentication, but refrained from issuing a full recommendation because biometrics aren't considered secret and can be obtained and forged by attackers through various methods. Biometric methods are acceptable only if they are used with another authentication factor, according to the draft guidelines.

"[Biometrics] can be obtained online or by taking a picture of someone with a camera phone (e.g. facial images) with or without their knowledge, lifted from objects someone touches (e.g., latent fingerprints), or captured with high resolution images (e.g., iris patterns for blue eyes)," NIST wrote in the DAG.

The current version of the DAG is in public preview, which means the guidelines are still under discussion and NIST is soliciting feedback from partners and NIST stakeholders. At this point, it appears NIST is moving away from recommending SMS-based authentication as a secure method for out-of-band verification. If it doesn't happen in this version, it will likely happen in future versions. Anyone who wants to review and comment can use GitHub to do so.

"It only seemed appropriate for us to engage where so much of our community already congregates and collaborates," NIST wrote.

SMS was an easy way to get developers, application owners, and users started on the two-factor authentication journey, because it was also the simplest. SMS is better than no two-factor at all, but the never-ending stream of data breaches indicates that better and stronger authentication methods are needed.

Copyright © 2016 IDG Communications, Inc.

How to choose a low-code development platform