The US government’s National Institute of Standards and Technology (NIST) has released new guidelines designed to phase out the use of SMS-based two-factor authentication (2FA) for government service providers.
The standards agency made the move in a draft of its new Special Publication 800-63B Digital Authentication Guideline. Although it currently applies only in the context of authenticating to US government services, it could set the tone for the commercial world.
NIST claimed in the guidance that SMS-based two-factor authentication should be avoided due to the possibility of the one-time code itself being “intercepted or redirected.”
It continued:
“If the out of band verification is to be made using a SMS message on a public mobile telephone network, the verifier SHALL verify that the pre-registered telephone number being used is actually associated with a mobile network and not with a VoIP (or other software-based) service. It then sends the SMS message to the pre-registered telephone number. Changing the pre-registered telephone number SHALL NOT be possible without two-factor authentication at the time of the change. OOB using SMS is deprecated, and may no longer be allowed in future releases of this guidance.”
The guidance is understandable, given that there have been numerous reported cases of malware designed to intercept such SMS codes, and scams where VoIP is used to spoof regular “public mobile telephone network[s].”
NIST approved the use of secure apps to perform out-of-band verification, where the government service sends a push notification to the user’s device.
However, it added:
“The verifier SHALL NOT store the identifying key itself, but SHALL use a verification method such as hashing (using an approved hash function) or proof of possession of the identifying key to uniquely identify the authenticator.”
Rob Norris, director of enterprise and cyber security at Fujitsu EMEA, argued that hackers will always take advantage of the weakest link in any system – but that an alternative could be biometrics.
“With the growing use of Apple products, consumers are now more comfortable with fingerprint scanner and biometrics techniques are quickly gaining traction as a two-factor authentication alternative,” he added.
“While we don’t expect biometric adoption to happen overnight, biometric verification of identity on a personal device will, in one way or another, become a standard identification process.”
However, not everyone agreed with NIST.
Kevin Panzavecchia, CTO of mobile network security firm HAUD, argued that the benefits of SMS 2FA still outweigh the downsides.
“The challenges facing SMS 2FA are not insurmountable, and MNOs have a role to play in ensuring their networks are secure for a vast array of applications currently by their subscribers, including this type of traffic,” he explained.
“By implementing a mobile network firewall that can filter and protect against misuse of Category 1, 2, and 3 SS7 traffic, MNOs can make sure that their networks remain safe for the transfer of sensitive information via SMS.”