Ever since the Federal Financial Institutions Examination Council (FFIEC) issued their guidance on “Authentication in an Electronic Banking Environment” in 2001, using two distinct identity factors to secure on-line transactions has been a best practice. One of the most popular two-factor authentication methods is to require a customer to enter a one-time PIN that the company sends to the customers’ mobile phone via SMS – or text messaging. Recently, the National Institute of Standards and Technology (NIST) released a preview of its draft guidance on digital authentication that says companies should begin reducing their use of SMS in this manner due to the increasing security threats posed by use of the channel. This raises the question of what alternatives are available to provide that critical second factor of authentication.
NIST is responsible for developing information security standards and guidelines, but rarely weigh in on electronic communication practices for businesses. The guidelines are in a public discussion phase expected to end Sept. 17, and it will likely be early 2018 before they complete the government’s comment and approval process. To help us better understand what the recommendations are, why they matter, and what some alternative options such would be, I spoke with a security expert here at Nuance.
Advait Deshpande, CISSP, is a senior product manager in our Biometrics division and has more than 20 years of experience working with companies in financial services, insurance, healthcare, government, and other security-minded industries to ensure security best practices are being implemented.
First, the NIST guidelines are long and somewhat convoluted. Can you explain what NIST actually announced?
The new guidelines announced by NIST propose deprecation, and not discontinuation of using SMS as a second factor of authentication. Deprecation means it can be used (for now) but it is on its way out. As remote attack exploits on redirecting or intercepting SMS messages increase, the efficacy of using SMS to deliver a one-time PIN or password will decrease and will have to be phased out, as it is lacking the level of security needed to protect organizations’ and customers’ information.
Right now, the NIST guidelines are in the public comment phase. This is where they invite input and critical review on the proposed standards from individuals and organizations alike. It will be a little while before the standards are finalized, published by NIST and subsequently adopted by government agencies. I expect the private sector to follow suit thereafter.
What’s wrong with using SMS for verification?
Over the last few years, fraudsters have gotten very sophisticated in spoofing caller IDs and faking SMS messages. It has become easy for hackers to intercept these randomly generated codes if the phone is connected to a voice over IP (VoIP) service or something similar. The codes can also be stolen by Android malware on infected devices, making SMS two factor authentication a risky proposition.
“Due to the risk that SMS messages may be intercepted or redirected, implementers of new systems should carefully consider alternative authenticators. If the out of band verification is to be made using a SMS message on a public mobile telephone network, the verifier shall verify that the pre-registered telephone number being used is actually associated with a mobile network and not with a VoIP (or other software-based) service. It then sends the SMS message to the pre-registered telephone number. Changing the pre-registered telephone number should not be possible without two-factor authentication at the time of the change. Out of band verification using SMS is deprecated, and may no longer be allowed in future releases of this guidance.”
Does that mean that organizations can no longer use SMS for two factor authentication?
No, most companies can and will continue to use SMS for two factor authentications for two reasons. First, while using SMS to deliver a second factor of authentication is not as secure as it should be, it is still better than a single factor of authentication. Second, enterprises have made significant investments – sometimes millions of dollars as well as time devoted to training teams – in SMS infrastructure, so they can’t just throw it all out at once. Companies will slowly start phasing out SMS, so it won’t be used as often or for as many purposes, and eventually it will go away. But SMS will still be around for many years to come.
Proactively, enterprises should begin planning to phase out using SMS for authentication and evaluate options to replace it with another stronger factor, like voice biometrics.
NIST doesn’t have the power to push regulatory action against companies who don’t comply. Does that mean businesses can ignore the recommendation?
While NIST does not have direct regulatory oversight on authentication in the commercial sector, they do have considerable influence (rightfully so) on technology standards. It is very likely that the FFIEC and other regulatory organizations will follow NIST’s lead in issuing guidelines deprecating or discontinuing the use of SMS as a secure factor of authentication. And if you don’t think NIST has the power to end the use of a technology based on their findings, consider the story of Jess Ritchie and his bogus AD-X2 battery additive.
Is NIST recommending against two factor authentication?
Quite the contrary! NIST reiterates the risk based decision practices and strongly recommends multi-factor authentication that is risk appropriate. In their follow up blog post, NIST even went to the length of clarifying that a two factor authentication (even using SMS to mobile) is better than a single factor of authentication.
What are the ways to do two-factor authentication?
Multi factor authentication is based on using “something you know”, “something you have” and/or “something you are” to construct a robust multi factor authentication design. For example:
I’m sure it’s not a surprise that I happen to be a big fan of “something you are.” This biometric factor has been shown to be less susceptible to traditional attack vectors and vulnerabilities.
Do customers really prefer other forms of authentication?
Customers want to authenticate in a way that’s easy and secure – and in whatever form best meets those two needs. In fact, 90% of users actually prefer voice biometrics over SMS or PINs and passwords. And voice biometrics is 80% faster at confirming users’ identity – which adds a “wow” factor to the customer experience. Check out what real people had to say when met with a voice biometric-enabled solution.
All forms of biometrics modalities such as fingerprint, voice, face, iris, behavioral etc. can be considered a strong authentication factor. In picking the best authentication factor, it all comes down to an effective risk analysis and value of the asset being protected.