A few days after releasing draft authentication guidelines that propose deprecating SMS as a second factor for authentication, NIST officials provided more context on the move, saying it’s a result of advances in attacks and shifts in the threat landscape.
Earlier this week, NIST, which sets technical standards for government agencies in the U.S., released for comment its Digital Authentication Guidelines, and the change that got everyone’s attention was the recommendation that SMS be removed as a two-factor authentication method. The agency said that SMS was deprecated as of now and would be gone in future versions of the guidelines.
“Changing the pre-registered telephone number SHALL NOT be possible without two-factor authentication at the time of the change. OOB using SMS is deprecated, and will no longer be allowed in future releases of this guidance,” the NIST guidance says.
On Friday, Paul Grassi of NIST said in a post explaining the proposed change, that new attacks on SMS systems have made it necessary. He added that while 2FA with SMS is more secure than just a password by itself, it’s still not good enough.
“We’re continually tracking security research on the evolving threat landscape. Following on our approach to limit scalability and remote attacks, security researchers have demonstrated the increasing success (read: lower cost in time and effort and higher success rates) of redirecting or intercepting SMS messages en masse,” Grassi wrote.
“We suggest that the use of SMS as a second factor be reconsidered.”
“While a password coupled with SMS has a much higher level of protection relative to passwords alone, it doesn’t have the strength of device authentication mechanisms inherent in the other authenticators allowable in NIST draft SP 800-63-3. It’s not just the vulnerability of someone stealing your phone, it’s about the SMS that’s sent to the user being read by a malicious actor without getting her or his grubby paws on your phone.”
Many popular services use SMS to send users a short code as part of a 2FA or two-step verification system, but as Grassi said, SMS is vulnerable not only to interception, but also the codes themselves often can be seen on the lock screen of users’ phones. That makes them somewhat less than ideal for authentication. Other systems use secure apps that generate one-time passwords on the device itself.
“Because of the risks, we are discouraging the use of SMS as an ‘out of band authenticator’ — which is, essentially, a method for delivering a one-time use code for multi-factor authentication. This is why we suggest that the use of SMS as a second factor be reconsidered in future agency authentication systems,” Grassi said.
The NIST draft is open for comment through mid-September, and the agency hopes to have final guidelines out by the end of the year.