As mentioned in Andrew Showstead’s blog post last month, the National Institute of Standards (NIST) has come out with a ruling on its digital authentication guidelines. They state that many types of SMS messaging as a second authentication factor (2FA) should now be considered insecure. This is actually not news. There have been numerous insecurities and hacks and other SMS 2FA compromises, starting with this 2012 hack of Wired author Mat Honan. Since then, Wired has put everyone on notice about insecure SMS 2FA and there is this FireEye blog post about combining SMS and phishing attacks. And one well-known digerati got his phone hacked by having the attacker just call his cell provider to change his SIM number.
In any case, the NIST document and the implied underlying decisions both require further explanation.
First off, the NIST ruling isn’t set in stone. It is a ‘preview,’ which means they are still collecting comments, and their document and their recommendations may undergo revision. Interestingly, you can submit your comments on GitHub here. That represents a big change for NIST, and they should be applauded for trying to use the open source community natively. As they posted, “It only seemed appropriate for us to engage where so much of our community already congregates and collaborates.”
Second, if you are going to comment, you should probably start with reading this blog post from Paul Grassi, a senior standards and technology advisor at NIST. The original document linked above is a difficult read, even for the most technical among us. For example, one of the NIST terms used is that SMS as an authentication factor is “deprecated.” What is that? Grassi says “you can use this puppy for now, but it’s on its way out.” Meaning that federal agencies should start exploring other 2FA options, or puppies in his parlance.
Speaking of federal agencies, while this NIST stuff is going on, the Social Security Administration didn’t quite get the right memo. They announced in late July that beginning immediately, anyone using their website to track their retirement benefits or communicate with the agency will be required to enter a cellphone and use a SMS message as an additional authentication factor when logging into their account.
Ironically, the agency claims it is doing this to adhere to federal standards just at the same time that NIST is trying to raise the bar on those same standards. As you might imagine, security analysts have already weighed in. Brian Krebs says the move by SSA “does not appear to provide any additional proof that the person creating an account at ssa.gov is who they say they are. The new measure does little to prevent fraud.” Krebs does give the agency props for using other authentication methods at the time a retiree sets up an account, but still there are weaknesses.
Third, Grassi makes some other good points, one of which being that not all SMS services are created or operate equally and not all of them are tied to actual physical cell phones. There are some virtual VOIP numbers (think Google Voice) that can forward texts to anywhere and anyone. Or that text messages can show up on the locked cellphone screen, so that the user doesn’t even have to have possession of his or her phone to enter the appropriate code sequence. That is part of the issue around sending an SMS one-time password (OTP) as an additional authentication factor. It no longer becomes “something you know” but is just “something else that you know.”
Finally, with all the hue and cry about the NIST document, we tend to lose sight that sending an SMS for OTP is still better than having no additional authentication factors. “For normal people, 2FA is still going to limit the ability of an attacker to intercept or alter both your password and your SMS code,” says Violet Blue writing in Engadget recently.
Does this mean that SMS OTP is dead? Not quite. Certainly, as several security experts quoted in a recent SearchSecurity article say, the move by NIST is long overdue. SMS authentication shouldn’t be the sole second factor. There are better authentication methods, such as the Vasco Digipass Go and Crontosign products mentioned in Showstead’s blog post, and numerous other efforts with using selfies and photos too. The key takeaway? You need multiple authentication factors now more than ever, and SMS should be one of them, but not the only one.
FULL DISCLOSURE: I am the holder of a patent that uses mobile-originated SMS for authentication. My references to that technology in the comment below, however, are factual and not based on opinion.
NIST’s recommendation is pretty clear… as far as it goes. Reading their paper in detail it is clear that the SMS authentication method they are recommending be deprecated is when a text is sent to the mobile (mobile terminated or MT) containing a OTP. SMS authentication methods that use mobile-originated (MO) texts are not impacted by the weaknesses noted in their recommendations.
MO-based SMS authentication offers stronger security from several perspectives, including that it piggybacks on the cellular carriers’ own security processes for an additional very strong layer. Even in the event of a stolen phone the MO SMS method is more secure; OTPs that are sent to the phone are almost certainly going to appear on a locked screen in a preview as the vast majority of users leave the default preview option set to show. Sending an SMS from a stolen phone, however, requires that the thief can unlock the screen to send the text.
There are other reasons that MO-based SMS authentication is stronger and more secure than the method which NIST rightly recommends against continuing. MO SMS authentication is the way that two-factor authentication *should* have been designed in the first place, but it was not.