​NIST: SMS two-factor is dead! If you're a US agency

Any service provider to the US government that relies on SMS for two-factor authentication may need to swap the method for something with fewer design weaknesses.

Despite known weaknesses in using SMS for multi-step authentication systems, it remains widely used in consumer applications because receiving a one-time code in an SMS is easier for people to understand than using a one-time code generator or the increasingly popular push notifications from a secure app.

But the ‘SMS is simple’ argument soon won’t cut it for authenticated access to applications provided by US government agencies, according to a new Digital Authentication Guideline from the US National Institute for Standards and Technology (NIST).

Anyone responsible for implementing new systems should use an alternative to SMS messages for authentication since text messages over public mobile networks can be “intercepted or redirected”, NIST noted.

NIST does set national guidelines for a range of technologies that are used outside of the government, however this particular document — SP 800-63B Authentication & Lifecycle Management — is one of three chapters to the general Digital Authentication Guideline, which is aimed at government agencies and says nothing of SMS as an authentication method in consumer services as it appears to have been taken.

“The recommendation covers remote authentication of users (such as employees, contractors, or private individuals) interacting with government IT systems over open networks. It defines technical requirements for each of four levels of assurance in the areas of identity proofing, registration, authenticators, management processes, authentication protocols and related assertions,” NIST notes in the lead document’s abstract.
In other words, the guidance would apply to companies like Google or Apple in as far as services they provide that may be used to connect with government IT systems, but not for authenticated access to either firm’s consumer services, such as Google’s Gmail or Apple’s iTunes.

The recommendations on SMS fall within NIST’s guidance on “out of band” authentication. Nonetheless, NIST’s withdrawal of support for SMS for government apps is a sign of the times, given that anyone interacting with government IT systems is likely to be doing so via a mobile device — one that may be compromised by malware that intercepts SMS messages. Numerous examples of Android malware that targets SMS-delivered one-time passwords have been reported.

To combat phone number spoofing, the NIST also outlines that if SMS is used as an out of band verification on a public mobile telephone network, “the verifier SHALL verify that the pre-registered telephone number being used is actually associated with a mobile network and not with a VoIP (or other software-based) service.”

A more secure method for delivering one-time passwords is via push notifications through a secure app. NIST says that government agencies “may” send a push notification to a device for out of band authentication, however the verifier “shall not” store the key itself but rather using a has function to ensure the key is unique to the device.

Join the CSO newsletter!

Error: Please check your email address.

Tags NIST’s guidancetwo-factor authenticationGoggle gmailauthenticationAuthentication & Lifecycle Managementsecure appgovernmentus governmentApple iTunessmsinfosec

More about AppleGoogleTechnologyVoIP

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Liam Tung

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place