Slashdot Mirror

← Back to Stories (view on slashdot.org)

NIST Prepares To Ban SMS-Based Two-Factor Authentication (softpedia.com)

Posted by BeauHD on from the security-risks dept.

An anonymous reader writes: "The U.S. National Institute for Standards and Technology (NIST) has released the latest draft version of the Digital Authentication Guideline that contains language hinting at a future ban of SMS-based Two-Factor Authentication (2FA)," reports Softpedia. The NIST DAG draft argues that SMS-based two-factor authentication is an insecure process because the phone may not always be in possession of the phone number, and because in the case of VoIP connections, SMS messages may be intercepted and not delivered to the phone. The guideline recommends the usage of tokens and software cryptographic authenticators instead. Even biometrics authentication is considered safe, under one condition: "Biometrics SHALL be used with another authentication factor (something you know or something you have)," the guideline's draft reads. The NIST DAG draft reads in part: "If the out of band verification is to be made using a SMS message on a public mobile telephone network, the verifier SHALL verify that the pre-registered telephone number being used is actually associated with a mobile network and not with a VoIP (or other software-based) service. It then sends the SMS message to the pre-registered telephone number. Changing the pre-registered telephone number SHALL NOT be possible without two-factor authentication at the time of the change. OOB using SMS is deprecated, and will no longer be allowed in future releases of this guidance."

25 of 150 comments (clear)

  1. the phone may not always be in possession phone by Anonymous Coward · · Score: 3, Funny

    recursive function overflow

    1. Re:the phone may not always be in possession phone by FatdogHaiku · · Score: 2

      So... if you printed it out you would get:
      The phone with a phone lives mainly in a tome*...

      *Assumes user has enough paper to print all recursions.

      --
      You have the right to remain sentient. If you give up the right to remain sentient, you will be elected to public office
    2. Re:the phone may not always be in possession phone by Killall+-9+Bash · · Score: 2

      I have been saying this for years. All biometrics (and smart cards, and RFID, etc) can offer is a false sense of security.

      Hackers can't steal your finger print or your eye, but they can steal the digital signature of it.

      --
      "Prediction: within 10 years, Windows will be a Linux distribution." Me, 7-6-2016
    3. Re:the phone may not always be in possession phone by lgw · · Score: 2

      I'm not quite sure what BeauHD is being paid for.

      BeauHD is old and busted - two generations behind now. Clearly he needs to be upgraded first to Beau3D, then to Beau4K if we're to get good editing.

      --
      Socialism: a lie told by totalitarians and believed by fools.
    4. Re:the phone may not always be in possession phone by goose-incarnated · · Score: 4, Informative

      Hasn't it been shown that you can take a fingerprint left by someone (say, on their phone) and use it to fool a fingerprint scanner?

      It has been shown that this works for old, cheap or crappy fingerprint readers. Modern, state-of-the-art scanners can check for a pulse, or use other techniques to detect tampering. Anyway, the whole point of multi-factor is that each individual factor doesn't have to be perfect. Two layers that are each 90% secure are as good as one layer that is 99% secure.

      Biometrics are the worst factor; they reduce the efficacy of the other factors because they can never be changed while there will remain a nonzero number of devices that can be fooled (hence, they reduce the efficacy).

      The "modern state-of-the-art" that you refer to doesn't yet exist, but I'm sure that it will be secure when they install it in the future, in my flying car.

      --
      I'm a minority race. Save your vitriol for white people.
  2. I heard you like phones by Edis+Krad · · Score: 4, Funny

    So I put a phone in your phone because the phone may not always be in possession of the phone

  3. Re:Typo by gweilo8888 · · Score: 4, Funny

    Do the editors not even read submissions anymore?

    You say that like they ever used to.

  4. Non-sequitor by Todd+Knarr · · Score: 4, Insightful

    The recommendation doesn't make sense. Yes, your phone may not always be in your possession. That would rule out software authenticators too, since they reside on the same phone that may not always be in your possession. Even dedicated hardware tokens may not always be in your possession, they can be lost or stolen just like a phone. So if not being always in your possession is the criteria, then all of the NIST's recommended methods fail to meet it.

    As for VoIP lines, yes they can be intercepted. They do however share one characteristic with cel-phone lines: they don't normally share a path with the network connection being authenticated except possibly at the user's ISP and computer (if the VoIP line terminates on their computer as opposed to their cel phone). That limits the ability of a single attacker to intercept and alter both paths, which is the central facet of what 2FA does.

    Ultimately the only secure 2FA is a dedicated hardware token that requires biometric authentication to function. Anything less than that is insecure, the question being merely whether the insecurity reaches the point of being unacceptable.

    1. Re:Non-sequitor by GeekWithGuns · · Score: 2

      I agree, if your concern is possession of the phone, then soft tokens are almost equal to SMS. The big difference is the ability to intercept the code out on the network (VoIP, Google Voice, etc...).

      One thing that I have seen done with RSA tokens that could be done with software tokens as well as SMS tokens would be appending a PIN to the token. That way even if the token is stolen, the thief would need to know the PIN and where to append it. You don't need a biometric to unlock the token, just a password or PIN to be the 2nd factor.

      --
      [End of diatribe. We now return you to your regularly scheduled programming...] - Larry Wall in Configure from the perl
    2. Re:Non-sequitor by Nemyst · · Score: 5, Insightful

      The recommendation doesn't make sense. Yes, your phone may not always be in your possession.

      I'd recommend re-reading the actual recommendation: "The NIST DAG draft argues that SMS-based two-factor authentication is an insecure process because the phone may not always be in possession of the phone number". It's not the user having the phone on them, it's the phone having the number associated with it. They're essentially saying that it's too easy to hijack the phone's number (or simply get it when the user changes it) and receive the SMS instead of the legitimate user.

    3. Re: Non-sequitor by Ronin+Developer · · Score: 2

      This, theft or the cloning of the SIM are three possible threat. Another is the display of the SMS on the lock screen which would divulge the token to anyone who has access to the device.

    4. Re:Non-sequitor by PrimaryConsult · · Score: 3, Interesting

      RSA has software tokens too. The app prompts for a pin and regardless of what you enter, will generate a token code. The catch is, the resulting token code will simply not work if the wrong pin is entered. No way to brute force that, you'd have to take the software token and submit that to the login form to see if the combination was correct (which after 3 tries will still lock you out). Pretty ingenious, the app doesn't need network access and will still work when you change your PIN.

    5. Re:Non-sequitor by Anonymous Coward · · Score: 2, Insightful

      Too easy for who? I suspect 2FA over SMS would thwart 99% of the account hacks that occur today.

  5. Provide your phone number for extra security? by Tokolosh · · Score: 3, Interesting

    Many websites ask this - Facebook is top of the list. I fail to see the reason. It is just another part of their project to collect data on you.

    Also, security questions are a joke. Where was I born? The whole world knows by now. Why would I provide yet another vector for compromising my account?

    If the site insists, I type garbage, and save a copy in Lastpass.

    Sheesh.

    --
    Prove anything by multiplying Huge Number times Tiny Number
    1. Re:Provide your phone number for extra security? by Alan+Shutko · · Score: 4, Interesting

      Having password reset happen with a text to your phone is more secure than the typical security questions that websites and (worse) CSRs ask. The text message is intended to help prevent what happened to Mat Honan, where his google account, twitter, and Apple ID were hacked, and his MacBook and phone erased remotely. This happened because a hacker was able to convince help desk folks he was the legitimate owner of the accounts, using info scraped from different places.

      Cell phone numbers aren't as good as hardware or software-based authenticators for applications that require more security. It's part of a continuum, where the more security is needed, the more of a hassle it can be to get in.

    2. Re:Provide your phone number for extra security? by Anne+Thwacks · · Score: 3, Interesting
      My bank decided I did a suspicious transaction because I was away, and used a UK (my homeland) website to buy something. They sent a text to my UK phone (running software to reply by SMS saying"my phone is out of order, send me an email") . I did not know about this, so they blocked my card.

      I asked if it was possible to advise them to use a different number if I was away. They said NO.

      --
      Sent from my ASR33 using ASCII
    3. Re:Provide your phone number for extra security? by pla · · Score: 2

      This adds no additional security to a system secured with a password

      Sure it does - It means you have two passwords, rather than a password and a piece of publicly-available information... Though the GP already gets that, I basically just rephrased his "type garbage, and save a copy" as something a bit more user-friendly. :)

      That said, I otherwise agree with you completely - Though, I also don't really see the problem here. Biometrics would solve some of the usability issues with passwords, but at the cost of introducing entirely new ones.

      Really, I think a lot of this comes down to "how much security is enough"? Sending an SMS for two-factor counts as far, far more than adequate 99% of the time; and that even counts as massive overkill 99% of the time. For virtually all uses, just using something like your favorite porn star's name is good enough.

  6. Re:Better vs. Perfect by Alan+Shutko · · Score: 2

    Not many organizations are required to follow NIST security standards. Those that do are in a better situation than most to switch to physical tokens or to software-based tokens of one sort or another. Note that "5.1.3.2. Out of Band Verifiers" does not deprecate sending a notification to a smartphone app that can then authenticate the user and provide a secondary authenticator.

  7. Re: the phone may not always be in possession phon by Entrope · · Score: 2

    In that authentication paradigm, biometrics is usually called "something you are", while an authentication token/device/badge is "something you have".

  8. Re:Better vs. Perfect by GeekWithGuns · · Score: 2

    Context here - NIST is setting standards for government security. If you are running a government system or are the vendor selling to the government, this will apply to you. DoD and IRS shouldn't be using SMS 2-factor authentication for users of their systems. DoD is not really the problem here, since 2-factor to them is certificates on smart cards (CAC), but I wouldn't be surprised to see IRS using SMS based 2-factor for some kinds of password recovery.

    SMS based 2-factor for taxpayers accessing the IRS...that could be harder to replace.

    So Google and the rest of us don't have to abandon SMS for 2 factor, but I'm kinda in agreement with NIST - not the best idea due to the ability to intercept the authentication code.

    --
    [End of diatribe. We now return you to your regularly scheduled programming...] - Larry Wall in Configure from the perl
  9. that's not a "ban" by ooloorie · · Score: 5, Insightful

    NIST can't "ban" the use of SMS for two factor authentication in general. Those are NIST guidelines (of course, some organizations may choose to make those guidelines mandatory). Furthermore, they don't seem to have a problem with SMS verification per se, but as the announcement itself says, they merely want people to verify that the phone number is an actual mobile phone, a reasonable recommendation.

  10. Software Defined Radio by Orgasmatron · · Score: 5, Insightful

    Part of the cell phone security model was that it was expensive and difficult to build the radio gear necessary to spoof a cell tower. Fast forward to the last few years, and you can get an excellent board for SDR for like $500. The guidelines list steps you can take to reduce the risk of SS7 routing shenanigans, but there isn't much you can do about a highschool kid (or an organized crime outfit) playing MITM with a cheap radio, which is why it will be deprecated soon.

    If you are in IT, and your environment demands security compliance, this will reach you eventually. It might take a few years if your structure is slow.

    I'm not using secondary device auth anywhere because I believe that dedicated hardware is more secure, but many of my peers are.using this. They will be switching off the SMS option and pressing on with online OOB methods, at least until their next cycle. We suspect that online OOB will go away entirely soon as tablet/phone malware matures and starts emptying phone-2FA-protected bank accounts.

    --
    See that "Preview" button?
  11. Number portability by quenda · · Score: 2

    In Australia, and presumably other countries with number portability, SMS authentication is a joke.
    While a SIM has strong crypto, and cannot easily be cloned, it is trivial to steal someones phone number by 'porting' it to another SIM.
    The only 'secret' you need is their account number (dumpster dive, emails, social engineer or mailbox) or date of birth for prepaid.

    The only thing less secure is those password resets, that ask for the make of your first car, etc - something guessable or found on your facebook profile.

  12. Re:Better vs. Perfect by TheRaven64 · · Score: 2

    You don't need Paypal to do this. You can send SMS to most landlines and the message will be read out by a computerised voice.

    --
    I am TheRaven on Soylent News
  13. Re: the phone may not always be in possession phon by gumbi+west · · Score: 2

    With this new "knife" technology in the hands of the wrong folks, your finger/eye are suddenly much more like, "something you have."