NIST Prepares To Ban SMS-Based Two-Factor Authentication

An anonymous reader writes: "The U.S. National Institute for Standards and Technology (NIST) has released the latest draft version of the Digital Authentication Guideline that contains language hinting at a future ban of SMS-based Two-Factor Authentication (2FA)," reports Softpedia. The NIST DAG draft argues that SMS-based two-factor authentication is an insecure process because the phone may not always be in possession of the phone number, and because in the case of VoIP connections, SMS messages may be intercepted and not delivered to the phone. The guideline recommends the usage of tokens and software cryptographic authenticators instead. Even biometrics authentication is considered safe, under one condition: "Biometrics SHALL be used with another authentication factor (something you know or something you have)," the guideline's draft reads. The NIST DAG draft reads in part: "If the out of band verification is to be made using a SMS message on a public mobile telephone network, the verifier SHALL verify that the pre-registered telephone number being used is actually associated with a mobile network and not with a VoIP (or other software-based) service. It then sends the SMS message to the pre-registered telephone number. Changing the pre-registered telephone number SHALL NOT be possible without two-factor authentication at the time of the change. OOB using SMS is deprecated, and will no longer be allowed in future releases of this guidance."

Provide your phone number for extra security?

[Tokolosh]

Many websites ask this - Facebook is top of the list. I fail to see the reason. It is just another part of their project to collect data on you.

Also, security questions are a joke. Where was I born? The whole world knows by now. Why would I provide yet another vector for compromising my account?

If the site insists, I type garbage, and save a copy in Lastpass.

Sheesh.

Re:Provide your phone number for extra security?

[Alan+Shutko]

Having password reset happen with a text to your phone is more secure than the typical security questions that websites and (worse) CSRs ask. The text message is intended to help prevent what happened to Mat Honan, where his google account, twitter, and Apple ID were hacked, and his MacBook and phone erased remotely. This happened because a hacker was able to convince help desk folks he was the legitimate owner of the accounts, using info scraped from different places.

Cell phone numbers aren't as good as hardware or software-based authenticators for applications that require more security. It's part of a continuum, where the more security is needed, the more of a hassle it can be to get in.

Re:Provide your phone number for extra security?

[Anne+Thwacks]

My bank decided I did a suspicious transaction because I was away, and used a UK (my homeland) website to buy something. They sent a text to my UK phone (running software to reply by SMS saying"my phone is out of order, send me an email") . I did not know about this, so they blocked my card.

I asked if it was possible to advise them to use a different number if I was away. They said NO.

Re:Non-sequitor

[PrimaryConsult]

RSA has software tokens too. The app prompts for a pin and regardless of what you enter, will generate a token code. The catch is, the resulting token code will simply not work if the wrong pin is entered. No way to brute force that, you'd have to take the software token and submit that to the login form to see if the combination was correct (which after 3 tries will still lock you out). Pretty ingenious, the app doesn't need network access and will still work when you change your PIN.