The U.S. National Institute of Standards and Technology plans to deprecate the use of SMS-based two-factor authentication,...
and experts said the change was long overdue.
NIST released a public preview draft of its Digital Authentication Guideline, in which section 220.127.116.11 stated, if two-factor authentication (2FA) must be done via SMS, the verifier must "verify that the preregistered telephone number being used is actually associated with a mobile network, and not with a VoIP (or other software-based) service," but "[out of band] using SMS is deprecated, and will no longer be allowed in future releases of this guidance."
NIST called this release a public preview, so it can post the documents on GitHub and solicit comments on the guidelines and changes, including those to SMS 2FA.
Experts generally said SMS 2FA has survived as long as it has because consumers tend to choose convenience over security when it comes to authentication. SMS 2FA is the easiest method of authentication, but it introduces risks, including someone simply reading the 2FA code from a lock-screen notification. Experts said alternative authentication methods, such as tokens and on-device authentication apps, will provide better security, but they can be more complex to set up and more costly to implement.
Damien Hugoo, director of product management at cybersecurity vendor Easy Solutions Inc., based in Doral, Fla., said these guidelines make sense and are long overdue.
"There have been numerous attacks that have been reported where SMS gets hijacked by malware on the end-user device, like Eurograbber. Australian Telco even in 2012 had declared SMS unsafe for banking transactions," Hugoo told SearchSecurity. "U.S. agencies like FFIEC [Federal Financial Institutions Examination Council] in the past have not clearly made a strong move against SMS 2FA, leaning more on the safe side by recommending a multilayer approach. This is finally a clear message to move away from SMS; this is a big deal."
Bill Supernor, CTO for messaging security firm KoolSpan, based in Bethesda, Md., also said the deprecation was long overdue in the NIST guidelines because of the security threats posed by SMS 2FA.
"The biggest risk is that a hostile party can perform a targeted man-in-the-middle attack by observing any SMS-based authentication, and/or generating their own authentication requests and redirecting them," Supernor told SearchSecurity via email. "In essence, this means that the attacker can see the verification codes that are being texted to you. For example, an attacker can invoke a password reset for your bank account and redirect the SMS-based verification to a phone number of their choosing."
The new NIST guidelines attempted to mitigate this risk by stating, "Changing the preregistered telephone number SHALL NOT be possible without two-factor authentication at the time of the change."
NIST guideline reach
Experts said, while NIST guidelines may be intended primarily for use within the U.S. federal government, they often end up having a much broader reach.
Luther Martin, distinguished technologist for Hewlett Packard Enterprise Security, said NIST standards often become the "de facto standards for the whole world."
"The U.S. government's Security Standards for Cryptographic Modules is probably the best example of this, where the corresponding ISO standard, as well as the corresponding standards for other countries, are essentially just copies or translations of the NIST standard," Martin told SearchSecurity. "Since NIST is moving to restrict the use of SMS for authentication, it is probably very significant and will most likely have significant impact on organizations and enterprises beyond the U.S. federal government."
Supernor noted these changes could have far-reaching effects, because "NIST is quite influential, even beyond the purview of the government market."
"Typically, NIST provides recommendations that are well-thought-out, and it is a good idea to follow them, even if one is not required to do so. If a commercial organization does not follow NIST's standards or recommendations, then they are going out on thin ice," Supernor said. "For example, if a bank suffers a major loss due to fraud that used SMS-based account verification, then its insurance provider could make a case for the bank not following appropriate practices."
Hugoo said NIST guidelines often translate to financial institutions and healthcare.
"Financial institutions in the U.S. follow FFIEC guidelines in terms of authentication, but the healthcare industry and others often follow NIST -- it's stated in their HIPAA regulation," Hugoo said. "Echoing NIST's warning on SMS, FFIEC recently updated its Retail Payment Services Handbook with an appendix on mobile financial services warning about using SMS. I expect FFIEC will update its overall guidance soon enough to reflect the latest NIST advisory."
Tom Gorup, security operations leader for Rook Security Inc., based in Indianapolis, said, "NIST does a great job of identifying basics security practices; however, at times, they can be quite cumbersome for organizations to take on single-handedly. NIST guidelines are certainly a set of guidelines companies can use as a launching point."
Learn more about how the NIST Cybersecurity Framework is being received.
Get info on the ID proofing system NIST wants to build.