NIST blog clarifies SMS deprecation in wake of media tailspin | ZDNet

NIST wants two-factor-authentication to be widely used – but does not want SMS to be a factor in this. There are good reasons for both recommendations.


  1. Tomi Engdahl says:

    NIST Denounces SMS 2FA – What are the Alternatives?

    Towards the end of July 2016, the National Institute of Standards and Technology (NIST) started the process of deprecating the use of SMS-based out-of-band authentication. This became clear in the issue of the DRAFT NIST Special Publication 800-63B, Digital Authentication Guideline.

    NIST Special Publications (SP) 800 series are required by the Office of Management and Budget (OMB) policies for almost all federal agencies. They are not required for privOate business. Nevertheless, they form part of the NIST Risk Management Framework (RMF) that is used by many U.S. organizations as the base framework for their own security policy. Conformance to the NIST RMF would certainly benefit companies wishing to do business with government departments.

    The key paragraph in the new draft comes in section Out of Band Verifiers:

    Due to the risk that SMS messages may be intercepted or redirected, implementers of new systems SHOULD carefully consider alternative authenticators. If the out of band verification is to be made using a SMS message on a public mobile telephone network, the verifier SHALL verify that the pre-registered telephone number being used is actually associated with a mobile network and not with a VoIP (or other software-based) service. It then sends the SMS message to the pre-registered telephone number. Changing the pre-registered telephone number SHALL NOT be possible without two-factor authentication at the time of the change. OOB using SMS is deprecated, and may no longer be allowed in future releases of this guidance.

    Since SMS-based 2FA is common among organizations that track RMF, a large number of U.S. businesses will need to change their remote authentication processes or deviate from NIST guidance.

    Is deprecating SMS-based 2FA good advice?

    SecurityWeek talked to consultants, vendors and practitioners – and found a divergent range of views.

    “The use of SMS to deliver one-time-codes and passwords does not meet these criteria as SMS messages can be intercepted in the network or by malware that has infected a person’s mobile device. SMS is not a secure messaging system and can also not be 100% relied on in terms of delivery.”

    But, he added, this doesn’t mean that SMS needs necessarily be abandoned by business.

    “SMS-based authentication can offer an additional layer of authentication that may be appropriate in some circumstances and can be used to supplement existing authentication technologies such as the common username and password.”

    Although the general perception is that NIST is abandoning phone-based 2FA, this isn’t factual. Keith Graham, CTO at SecureAuth, points out that NIST is actually “recommending that current SMS delivery must be secured by ensuring that it is delivered to ‘real’ mobile phones only and not virtualized numbers such as VOIP. They’re also recommending that for changes to be made for an account/profile, the change/modification of the number should be protected using 2FA.”

    His view is supported by Alvaro Hoyos, CISO at OneLogin. SS7, he told SecurityWeek, “is susceptible to hacks – and once a provider’s system has been hacked, SMS messages can be intercepted or spoofed. Therefore, the validity and integrity of SMS one-time password (OTP) codes cannot be guaranteed and because the system is so old, it would take significant time and effort to secure it. For that, read: don’t hold your breath.”

    Not everyone agrees that this means SMS need necessarily be abandoned.

    Nor does he believe there should necessarily be a blanket ban on one-time-passwords.

    “NIST’s main issue appears to be sending a code to an unverified phone.” His solution is to verify the phone rather than abandon the idea.

    “I think certain agencies are trying to scare companies into buying more security technology and services,” Bailey said. “Somebody is getting rich off of what the hackers are doing to corporations. Mostly, the result is embarrassment and not financial theft. I think it’s a money grab for somebody.” This viewpoint is fueled by the cost that will be incurred if companies are forced to move to alternative methods.

    Secure alternatives, suggests Theresa Semmens, CISO at North Dakota State University, “will be costly.”

    “NIST is recommending biometrics to replace OTP 2FA. The infrastructure modifications needed to implement that feature would be monumental.”

    A common criticism levelled at the NIST draft is that it is good, but insufficient. Bill Burns, CISO at Informatica, comments, “NIST’s guidance is good, but it’s incomplete. They pointed out good reasons to consider an alternative, but didn’t go into the options enough.”

    Alternatives to SMS 2FA

    Alan Goode believes there is ample choice. “If mobile devices are to be used,” he told SecurityWeek, “then soft tokens can be used to generate the code on the device itself, but if the device has malware then this could be a risk. For higher levels of assurance, secure environments and trusted execution environments (TEE) can be leveraged to securely store authentication credentials, including private crypto keys and biometric data, and support secure, tamper-resistant, application processing.”

    One new and evolving method of authentication is gaining traction with the practitioners: behavioral biometrics. This solves an underlying problem for almost all forms of authentication: user friction. User friction is the degree of effort required from the user, such as remembering and entering long and complex passwords, or typing in an OTP from a separate device. Behavioral biometrics is sometimes also described as passive authentication: the user doesn’t need to do anything extra (which would be active authentication).

    Martin Zinaich gives an extreme example. “I have 800 police officers in cars. I really don’t what them to have to receive an SMS message, or open a token device, or plug in a USB device that can be lost in order to get logged in. We need something that is mostly transparent. What if we know the IP address space they come from, and the operating system, and their displayable fonts, and their browser signature, and up to 100 other items? If those things match, you are good. If they don’t – then you prompt for a token.”

    Finance companies are already moving in the direction of passive biometrics in the form of certain physiological biometrics. This year MasterCard announced that it would roll out a new payments authentication process involving facial recognition (selfies). In July Barclays Bank announced that it would replace passwords with voice authentication for its telephone banking service.

    OneLogin’s Hoyos commented, “As mobility becomes the standard for most of the workforce, geolocation is being introduced as another safeguard against hacks. Google also announced an initiative earlier this year that combines behavioral and physiological biometrics to authenticate users.”

    “The authentication strength of any modality is measured in terms of the false accept error – the error that allows access to an imposter,” he said. “Typically, a smartphone fingerprint authentication can establish the identity of the person with a false accept error rate of 1 in tens of thousands. Or another way to look at it – fingerprint has a strength equivalent of a 4-digit passcode. Iris is an even stronger modality. In a typical smartphone implementation, iris can provide false accept error rate as low as 1 in millions, or the equivalent of a 6-digit passcode. Both iris and fingerprint are practical and easy to use; although iris has been proven to work across broader demographics – people across all age groups and occupations.”


    Authentication remains one of security’s biggest problems. Using multiple factors makes authentication stronger, but increases costs.


Leave a Comment

Your email address will not be published. Required fields are marked *