Back to Insights
Sending Out SMS: NIST Recommends Shifting to Alternative 2FA Methods
July 28, 2016 | Authentication
By Daniel Maloof, IANS Managing Editor
As organizations have increased their efforts to promote information security over the past several years, two-factor authentication has become an engrained component of day-to-day employee operations across most industries.
To this point, one of the most popular methods organizations have employed is SMS-based two-factor authentication, in which the user is sent a text message with a code that the user then types in to complete the login process.
This method, however, may not be widely used for much longer, as the National Institute for Standards and Technology (NIST) recently issued the latest draft version of its Digital Authentication Guideline, in which it noted out-of-band verification using SMS “is deprecated, and may no longer be allowed in future releases of this guidance.”
Though NIST has emphasized that the draft document is a public preview (and that it is seeking comments over the next few weeks via GitHub), the agency noted that there is a legitimate risk that SMS messages could be intercepted and encouraged organizations to “consider alternative authenticators.”
IANS Faculty Mike Saurbaugh explained that while SMS two-factor authentication was initially seen as the “path of least resistance” for organizations, the new NIST guidance indicates that the risks are beginning to outweigh the user-friendliness.
“NIST is concerned about the possibility that SMS communications could be intercepted and also because someone other than the device owner may be in possession and capable of making a request,” Saurbaugh said. “As in the case of using a smartphone for out-of-band where the code is received, it may be displayed on the lock screen and is susceptible to those nearby.”
“What NIST seems most concerned about is the use of SMS over voice-over-IP services. VoIP services can allow users to deliver text messages and voice calls without needing to possess the device. In addition to this, there is risk to the SMS communication being intercepted over the VoIP service by an attacker. It’s not mentioned directly, but the SS7 network, which would deliver the SMS communication, has been vulnerable to attack, too.”
Where Can Organizations Go From Here?
With NIST beginning to discourage the use of SMS as a two-factor authentication method, many organizations may soon need to adjust their practices, a particular challenge considering many employees have only recently become comfortable with the relatively easy-to-use SMS method. One alternative the agency supported in its guidance document (at least on a limited basis) was biometrics.
“Biometrics will pick up some more adoption in the future, but NIST will still require a second factor. NIST views biometric misuse still possible through obtaining fingerprints or facial recognition, which is why another factor is still required,” Saurbaugh said. “Expect to see more development toward layered techniques, which may employ geolocation, login history and other behavioral factors. In the meantime, application soft tokens will have the most widely available support.”
“Many vendors offer support for the popular Google Authenticator or Microsoft’s Azure Authenticator for companies using Office 365, as well as security companies such as RSA, Gemalto, Duo Security or YubiKey, to name a few. The software token would allow the device to use the app which provides the randomly-generated value. These are easy to use and well-supported.”
Ultimately, though the guidance document remains in the comment period, NIST has left little doubt as to the direction it is heading when it comes to support for SMS-based two-factor authentication. Saurbaugh explained that it’s important for companies to begin educating their employees about alternative methods and preparing them for the transition.
“Many, many well-known services use SMS for OOB authentication,” Saurbaugh said. “Organizations will have to focus on user education and awareness when applications are no longer going to support SMS-based 2FA. Additionally, companies that develop applications that use SMS as OOB will need to begin to review NIST’s guidance and adapt, since those in the federal space need to follow NIST.”
“There’s time to address this and it doesn’t have to be done overnight, but the warning has been given and teams should begin adhering to the guidance across a reasonable timeframe.”
| Tools & Templates
Critical Security Controls (CSC) Assessment Tool
| Tools & Templates
Critical Security Controls (CSC) 20 Master Mapping Tool
Determine the Best MFA Fit: Duo vs. Azure
| Faculty Report
Apply Blockchain Technology to Enterprise Security