Towards the end of July 2016, the National Institute of Standards and Technology (NIST) started the process of deprecating the use of SMS-based out-of-band authentication. This became clear in the issue of the DRAFT NIST Special Publication 800-63B, Digital Authentication Guideline.
NIST Special Publications (SP) 800 series are required by the Office of Management and Budget (OMB) policies for almost all federal agencies. They are not required for privOate business. Nevertheless, they form part of the NIST Risk Management Framework (RMF) that is used by many U.S. organizations as the base framework for their own security policy. Conformance to the NIST RMF would certainly benefit companies wishing to do business with government departments.
The key paragraph in the new draft comes in section 184.108.40.206. Out of Band Verifiers:
Due to the risk that SMS messages may be intercepted or redirected, implementers of new systems SHOULD carefully consider alternative authenticators. If the out of band verification is to be made using a SMS message on a public mobile telephone network, the verifier SHALL verify that the pre-registered telephone number being used is actually associated with a mobile network and not with a VoIP (or other software-based) service. It then sends the SMS message to the pre-registered telephone number. Changing the pre-registered telephone number SHALL NOT be possible without two-factor authentication at the time of the change. OOB using SMS is deprecated, and may no longer be allowed in future releases of this guidance.
Since SMS-based 2FA is common among organizations that track RMF, a large number of U.S. businesses will need to change their remote authentication processes or deviate from NIST guidance. The first question they will need to consider is whether this is good advice from NIST; and be able to justify any decision to ignore it.
Is deprecating SMS-based 2FA good advice?
SecurityWeek talked to consultants, vendors and practitioners – and found a divergent range of views.
Alan Goode, MD of mobile and biometrics consultancy Goode Intelligence, suggests this advice must be viewed in context.
“As the guidelines relate to U.S. federal agencies the security of the recommended authentication mechanisms has to be of a highly secure and reliable nature,” Goode said. “The use of SMS to deliver one-time-codes and passwords does not meet these criteria as SMS messages can be intercepted in the network or by malware that has infected a person’s mobile device. SMS is not a secure messaging system and can also not be 100% relied on in terms of delivery.”
But, he added, this doesn’t mean that SMS needs necessarily be abandoned by business.
“SMS-based authentication can offer an additional layer of authentication that may be appropriate in some circumstances and can be used to supplement existing authentication technologies such as the common username and password.”
Although the general perception is that NIST is abandoning phone-based 2FA, this isn’t factual. Keith Graham, CTO at SecureAuth, points out that NIST is actually “recommending that current SMS delivery must be secured by ensuring that it is delivered to 'real' mobile phones only and not virtualized numbers such as VOIP. They're also recommending that for changes to be made for an account/profile, the change/modification of the number should be protected using 2FA.”
NIST’s proposal has both support and opposition among CISO business practitioners. Martin Zinaich, information security officer for the City of Tampa, commented, “NIST, as usual, is making the right call. Many will raise the concerns over hijacking an SMS message or being able to see the text message on a stolen phone even when locked (a common configuration) – however a more glaring issue is the global telecom network known as Signal System 7 (SS7). First designed in the 1980s, it is full of flaws. Most of those flaws are ‘by design’ to keep calls connected from tower to tower. It doesn’t make sense to utilize 2FA when that second factor is so easily breached.”
His view is supported by Alvaro Hoyos, CISO at OneLogin. SS7, he told SecurityWeek, “is susceptible to hacks – and once a provider's system has been hacked, SMS messages can be intercepted or spoofed. Therefore, the validity and integrity of SMS one-time password (OTP) codes cannot be guaranteed and because the system is so old, it would take significant time and effort to secure it. For that, read: don't hold your breath.”
Not everyone agrees that this means SMS need necessarily be abandoned. Steve Lentz, chief security officer at Samsung Research America, believes that NIST’s role can be to advise, but should not dictate. The responsibility for security resides with the CISO of the company concerned.
“Every company has a different infrastructure so a solution that works for me may not work for you," Lentz said. "Give us the requirements and it is our job to find the solution.”
Nor does he believe there should necessarily be a blanket ban on one-time-passwords.
“NIST’s main issue appears to be sending a code to an unverified phone.” His solution is to verify the phone rather than abandon the idea.
“We have to do our due diligence to ensure the number on the other end is an actual authorized number to send to. You can also use one-time-passwords where you have a software based token app on your PC or phone to authenticate. For example for simple 2FA, let’s say for online storage, you have your Active Directory ID and password, and then an OTP to get access. You can use certificates as well. Again it’s up to us to ensure security – if not, then the blame is on us. It’s not necessarily the method of authentication, but how it is used and whether it is properly configured and secure.”
The extreme edge of this viewpoint was voiced by Gary Bailey, the CIO at Penn Virginia.
“I think certain agencies are trying to scare companies into buying more security technology and services," Bailey said. "Somebody is getting rich off of what the hackers are doing to corporations. Mostly, the result is embarrassment and not financial theft. I think it’s a money grab for somebody.” This viewpoint is fueled by the cost that will be incurred if companies are forced to move to alternative methods.
Secure alternatives, suggests Theresa Semmens, CISO at North Dakota State University, “will be costly.”
Dan Swartwood, a Senior Fellow with the Ponemon Institute, explains: “NIST is recommending biometrics to replace OTP 2FA. The infrastructure modifications needed to implement that feature would be monumental.”
A common criticism levelled at the NIST draft is that it is good, but insufficient. Bill Burns, CISO at Informatica, comments, “NIST’s guidance is good, but it’s incomplete. They pointed out good reasons to consider an alternative, but didn’t go into the options enough.” Theresa Semmens adds, “NIST will need to bring forth more information and suggested implementations if they want to deprecate SMS-based 2FA.”
Drew Koenig, security solutions architect at Magenic, believes NIST’s arguments are too thin. “NIST is technically correct that the current SMS communication layer is weak and open to interception. NIST doesn't mention how usernames and passwords are just as susceptible to interception through key loggers, man in the middle, and social engineering. There is no mention that hard tokens can openly display the current code on an LED screen when lost.” That, he adds, is the very reason to use multi-factors: “The attackers needs all three items, username, password and the token, to gain access. If an SMS text message is intercepted, the username and password is still required.”
The general consensus is that NIST is not wrong; but nor is it right. SMS can be made to work in the right conditions and it is the CISO’s responsibility to make it work. “Short story,” says Brian Kelly, CISO at Quinnipiac University, “is SMS can be spoofed, so I think it’s a solid recommendation. Although I would still advocate that SMS 2FA is better than no 2FA.”
Alternatives are likely to be costly, and NIST does not provide enough information about those alternatives. The irony of the Social Security Administration announcing its own new authentication process has been lost on no-one. “A few days after the NIST draft was released the Social Security Administration announced they are adding multi-factor authentication to the website. The method they added was SMS text message,” notes Koenig.
Despite these concerns, federal agencies and organizations that base their policy on the NIST RMF, will need to deprecate SMS-based 2FA if the draft proposals are ratified. The question then is what should they use instead.
Alternatives to SMS 2FA
Alan Goode believes there is ample choice. “If mobile devices are to be used,” he told SecurityWeek, “then soft tokens can be used to generate the code on the device itself, but if the device has malware then this could be a risk. For higher levels of assurance, secure environments and trusted execution environments (TEE) can be leveraged to securely store authentication credentials, including private crypto keys and biometric data, and support secure, tamper-resistant, application processing.”
One new and evolving method of authentication is gaining traction with the practitioners: behavioral biometrics. This solves an underlying problem for almost all forms of authentication: user friction. User friction is the degree of effort required from the user, such as remembering and entering long and complex passwords, or typing in an OTP from a separate device. Behavioral biometrics is sometimes also described as passive authentication: the user doesn’t need to do anything extra (which would be active authentication).
Martin Zinaich gives an extreme example. “I have 800 police officers in cars. I really don’t what them to have to receive an SMS message, or open a token device, or plug in a USB device that can be lost in order to get logged in. We need something that is mostly transparent. What if we know the IP address space they come from, and the operating system, and their displayable fonts, and their browser signature, and up to 100 other items? If those things match, you are good. If they don’t – then you prompt for a token.”
Finance companies are already moving in the direction of passive biometrics in the form of certain physiological biometrics. This year MasterCard announced that it would roll out a new payments authentication process involving facial recognition (selfies). In July Barclays Bank announced that it would replace passwords with voice authentication for its telephone banking service. In both cases user friction is reduced: users don’t have to remember anything or type anything.
OneLogin’s Hoyos commented, “As mobility becomes the standard for most of the workforce, geolocation is being introduced as another safeguard against hacks. Google also announced an initiative earlier this year that combines behavioral and physiological biometrics to authenticate users. Even though physiological biometrics have made relatively slow progress since originally introduced to information security decades ago, combined with behavioral biometrics might be the key for wider adoption.”
Vivek Khandelwal, VP Business Development at Delta ID, believes that a combination of smart phone and passive physiological biometrics will satisfy NIST’s future requirements. “Instead of SMS, biometrics is the most convenient and secure second factor – the first factor being the possession of the smartphone,” he told SecurityWeek. “With the widespread availability of smartphones with biometric - fingerprint and now iris authentication technology, it is also more practical and economical.”
Khandelwal went on to explain the different strengths of these additional factors.
“The authentication strength of any modality is measured in terms of the false accept error - the error that allows access to an imposter," he said. "Typically, a smartphone fingerprint authentication can establish the identity of the person with a false accept error rate of 1 in tens of thousands. Or another way to look at it - fingerprint has a strength equivalent of a 4-digit passcode. Iris is an even stronger modality. In a typical smartphone implementation, iris can provide false accept error rate as low as 1 in millions, or the equivalent of a 6-digit passcode. Both iris and fingerprint are practical and easy to use; although iris has been proven to work across broader demographics – people across all age groups and occupations.”
Fingerprints, however, “have been found to be hard to work for older people with slightly hardened skin or women and children with softer skin, and people in manual labor such as construction and so on,” Khandelwal says.
But there are still problems with a switch from SMS-based 2FA to phone and biometrics. We have already seen that some practitioners are concerned about infrastructure costs.
“In my opinion,” said one CISO who wished to remain anonymous, “NIST should not be removing SMS based 2FA.” His company is a manufacturing organization with “a lot of employees who do not have smart phones.” NIST, he added, is “about 3 to 5 years too early from a practical perspective. If they do remove SMS, then our only alternative would be hard tokens (for our expanded set of users) and we simply don't want the expense and hassle of managing this many hard tokens.”
Authentication remains one of security’s biggest problems. Using multiple factors makes authentication stronger, but increases costs. Few practitioners think NIST is wrong to publicize the weaknesses in using SMS OTPs to provide a second factor, but there is a strong feeling that this should only be seen as advisory. Indeed, there is widespread concern over the lack of information about alternatives. Most practitioners are likely to take the advice on board, but will still proceed with their own solutions within their own budgets for their own environment.