SMS-Based 2 Factor Authentication IS Dead.
Why you should be burying your old SMS-based two factor solution before it starts to stink.
Article originally posted here.
Here’s the story: SMS as a second factor for authentication started out pretty strong and is now being used as an extra safety measure by most financial institutions. You mobile phone has basically become your digital wallet, allowing you to confirm and perform transactions.
Don’t get me wrong: implementing SMS as a second factor for authentication or transaction authorisation is of course better than some lame password, but it’s no longer enough.
Why dead: The National Institute of Standards and Technology from US Department of Commerce has just released a draft that contains a set of recommended standards that regulate the way digital authentication is done.
What is NIST?
NIST is a non-regulatory federal agency within the U.S. Department of Commerce. NIST’s mission is to promote U.S. innovation and industrial competitiveness by advancing measurement science, standards, and technology in ways that enhance economic security and improve our quality of life.
You can find the guidelines available on Github here.
One of the recommendations stands out. It makes a recommendation towards new systems implementers to seriously consider other authentication methods, instead of using SMS as an out of band authentication.
If SMS is to be used for out of band verification on a public mobile network, the phone number MUST be verified so that it is indeed associated with a mobile network and not with a VoIP service. Only afterwards it will send the message to the phone number that was pre-registered.
If the user wants to change the pre-registered phone number, this will only be possible through two-factor authentication.
OOB using SMS is deprecated, and will no longer be allowed in future releases of this guidance.”
Why is SMS dying?
- Because it’s not secure. SMS messages can be intercepted or redirected.
- VoIP services are on the rise, which makes things so much more unsafe. This way it’s more difficult to establish if the SMS was really sent through the real network or a service that virtualises phone numbers.
- Hackers are smart (shocking news), and they do and will find more ways to intercept and redirect SMSs.
The guidelines add to the OMB guidance, E-Authentication Guidance for Federal Agencies OMB M-04–04.
OMB guidance outlines a five-step process by which agencies should meet their digital authentication assurance requirements:
- Conduct a risk assessment of the government system.
- Map identified risks to the appropriate assurance level.
- Select technology based on digital authentication technical guidance.
- Validate that the implemented system has met the required assurance level.
- Periodically reassess the information system to determine technology refresh requirements.*
So next time your bank proudly announces the upcoming implementation of a SMS-based second factor authentication you can just send them the link:
Further reading: Digital Authentication Guideline: Public Preview