There have been several articles in the last couple days that talk about NIST’s latest Digital Authentication Guidelines (DAG) draft which is indicating SMS for 2-Factor Authentication is nearing the end. Given its popularity it’s creating a lot of conversation. And lots are asking what this could mean for the Enterprise.
First, who is National Institute of Standards and Technology (NIST)? NIST is a US agency that among other things, creates national measurement and standards guidelines for security.
In the latest NIST DAG, they state they are abandoning the support of SMS messages for the purposes of two-factor authentication (a popular subset of multi-factor authentication) due to security concerns. Two-Factor Authentication has become a popular means of verifying identity particularly in the consumer world. For example, as a way to reduce fraud, the banking industry has used this for several years now to add an additional layer of security to verify identity before allowing their customers to make transactions or reset passwords. I think anyone who has done online banking recently has had to do this at some point.
Here is the relevant section from the DAG Draft:
"Due to the risk that SMS messages may be intercepted or redirected, implementers of new systems SHOULD carefully consider alternative authenticators. If the out of band verification is to be made using an SMS message on a public mobile telephone network, the verifier SHALL verify that the pre-registered telephone number being used is actually associated with a mobile network and not with a VoIP (or other software-based) service. It then sends the SMS message to the pre-registered telephone number. Changing the pre-registered telephone number SHALL NOT be possible without two-factor authentication at the time of the change. OOB [Out of band verification] using SMS is deprecated, and will no longer be allowed in future releases of this guidance."
“Out of band” verification, in this instance, means using an alternate device for the purposes of verifying identity.
So, is SMS-based 2-Factor Authentication really that insecure? And what does this mean for the Enterprise?
Yes, SMS messages are insecure. Some examples include the fact that SMS messages can appear on the lock screen of a device for anyone looking at it to potentially see. There are also flaws that make it possible for hackers or spies to track your cell phone. And SMS messages can also be intercepted or redirected. So, it is no surprise that we will see this method of 2-Factor Authentication phased out.
NIST does support alternative 2-Factor Authentication approaches such as Biometrics and secure apps. And for the enterprise, embracing these stronger authentication methods means they can be more confident that they are keeping their business and their users secure. Biometrics like iris scanning, fingerprint, voice or a combination of these are much more difficult to crack. And if the Enterprise also has policies in place based on things like geolocation or device type based on user behavior, you even can take it a step further ensuring that they are who they say they are based on their usual behavior patterns and biometric recognition of their individual genetic traits.
Secure apps are another acceptable approach where there can be an in-app code generator or a push notification that allows another easy mobile-based method for authentication. And companies like Duo, Okta and SecureAuth have come up with a variety of multi-factor authentication solutions that embrace both secure apps and biometrics to provide more secure options to the Enterprise. These too can be connected with intelligence and policies tied to user behavior to provide additional layers of verification.
So, while the fate of SMS for 2-Factor Authentication may be near its end, this is a positive step forward and a signal for Enterprises to take on more robust authentication methods to protect their organization.