NIST to deprecate SMS for out of band authentication. What is the impact?

Written by: Joost Flipse

August 17, 2016 - Exploring the impact of the NIST publication for parties using or considering the use of SMS authentication.

On July 25th NIST released a draft version (draft pre-draft) of its SP 800-63-3: Digital Authentication Guideline. In this blog we present our view on the impact of this NIST publication for parties using or considering the use of SMS authentication.

NIST, the National Institute of Standards and Technology in the USA, is (among other things) responsible for the development of standards and guidelines for security of US federal information systems. In SP 800-63-3 it publishes technical guidelines for the remote authentication towards US government IT systems over open networks. In this public preview they are opening up their stable draft version for comments mainly from federal and industry parties via GitHub. Following this public preview there will be the traditional public comment phase after which the document is planned to be finalized by the end of this year, replacing SP 800-63-2 (released in August 2013).

The guideline is divided up into 4 documents, where SP 800-63B discusses what authentication processes and authenticators are to be used to obtain a certain Authentication Assurance Level (AAL). These AALs represent the level of confidence that the person performing the authentication is the same person to which the authenticator was issued. Depending on the risk of, and possible damage caused by, fraudulent access to the system a suitable minimum AAL is determined for that system.
Generally speaking a higher AAL is achieved by combining more than one of the following three so called authentication factors:

  • Something you know, e.g. username and password
  • Something you have, e.g. smartcard with secret cryptographic key
  • Something you are, e.g. fingerprint

SMS authentication is seen as “something you have” and is grouped under Out Of Band (OOB) authenticators, where the one-time use secret (e.g. authentication code) is delivered to a physical device via a channel separate from the channel which initiated the authentication. In the current draft version of SP 800-63B government agencies are recommended to consider alternatives for SMS OOB when implementing new authentication processes. The reason they give is that SMS messages can be intercepted, social engineered, or redirected, which could lead to fraudulent access.
NIST further emphasizes this by separately stating:

OOB using SMS is deprecated, and may no longer be allowed in future releases of this guidance.”

If OOB SMS is used it should be delivered via a public mobile phone network and not use VoIP or other software-based services.

Impact?

Currently username and password (something you know) combined with an authentication code delivered to your mobile device via SMS (something you have) is used as 2FA by many online service providers and government institutions. The NIST guidelines discussed specifically address authentication towards US government systems and take into account their related security needs. So far, other authentication frameworks such as STORK have not deprecated SMS for 2FA. However, increasing pressure is being applied to the use of SMS through other channels as well – with some national groups such as the Australian telecommunications lobby group publically stating that SMS is no longer an acceptable method for out of band communications (see http://www.itnews.com.au/news/telcos-declare-sms-unsafe-for-bank-transactions-322194 ).

Therefore, although it is unlikely for this type of authentication to disappear in the near future, we do expect this method to be phased out over time, starting with US government who are required to design new systems in compliance with NIST SP 800 63 3.
Companies are not directly impacted by these guidelines but especially higher security systems, such as those of financial institutions, are expected to follow suit if not already considering such changes because of known SMS security vulnerabilities. Furthermore, most of the bigger online service providers such as Google and Apple already have alternatives in place where OOB is delivered by an app residing on your mobile phone that sets up a secure connection to retrieve an authorization code (or approval is confirmed directly via the secondary channel).

Our recommendation

• For existing SMS implementations that do not deal with the US government the NIST deprecation can be seen as a firm warning that the method is not considered trustworthy. Therefore, it is advisable to closely monitor for any potential fraud on systems using this method, and to consider upgrading to a newer method and/or invest in fraud detection/prevention.
• For new implementations: Do not use SMS but choose a more secure option. Such methods may include a push notification triggering an app residing on the user’s smartphone to set up a secondary secure channel for OOB authentication, or implementation of a FIDO compliant authentication method. For more information on FIDO authentication implementation, please read our white paper here.

Disclaimer

These are the personal opinions of UL’s employees and its guests and should not be misunderstood as representing the opinion of UL's clients, suppliers or other relations.