The US National Institute for Standards and Technology (NIST) has released the latest draft version of the Digital Authentication Guideline that contains language hinting at a future ban of SMS-based Two-Factor Authentication (2FA).
The Digital Authentication Guideline (DAG) is a set of rules used by software makers to build secure services, and by government and private agencies to assess the security of their services and software.
NIST experts are constantly updating the guideline, in an effort to keep pace with the rapid change in the IT sector.
SMS-based 2FA still acceptable, but not for long
According to theversion, NIST officials are discouraging companies from using SMS-based authentication, even saying that SMS-based 2FA might be considered insecure in future versions of the guideline. The exact paragraph in the NIST DAG draft is:
“ If the out of band verification is to be made using a SMS message on a public mobile telephone network, the verifier SHALL verify that the pre-registered telephone number being used is actually associated with a mobile network and not with a VoIP (or other software-based) service. It then sends the SMS message to the pre-registered telephone number. Changing the pre-registered telephone number SHALL NOT be possible without two-factor authentication at the time of the change. OOB using SMS is deprecated, and will no longer be allowed in future releases of this guidance. ”
The NIST DAG argues that SMS-based two-factor authentication is an insecure process because the phone may not always be in possession of the phone.
While the guideline recommends that apps use tokens and software cryptographic authenticators, these may also take the form of phone apps or devices that can be stolen or “temporarily borrowed” as well, just like phones.
The NIST guideline recognizes this risk as acceptable, but unlike tokens and cryptographic authenticators, SMS has another weak spot that has eroded at its trustability factor, which is VoIP services.
SMS considered insecure, especially on VoIP connections
Because some VoIP services allow the hijacking of SMS messages, NIST officials encourage software vendors that make SMS-based 2FA systems to specifically check for the usage of a VoIP connection before sending the 2FA code.
SMS as a protocol is widely considered insecure. Only last week, researchers at Context Information Security havethat relied on weaknesses in the SMS protocol to compromise devices and their users. As more and more of this type of research will gather up, NIST, software vendors, companies and users will move away to a more secure method of authentication.
The current NIST guidelines are still under discussion, but it is almost sure that future versions of the Digital Authentication Guideline will not anymore recommend SMS-based authentication as a secure method for out of band verification.
Biometrics are gaining traction
NIST’s DAG draft also acknowledges the proliferation of biometrics as an authentication method, which it considers acceptable under one condition:
“ Therefore, the use of biometrics for authentication is supported, with the following requirements and guidelines: Biometrics SHALL be used with another authentication factor (something you know or something you have). ”