Some draft guidelines from the National Institute of Standards and Technology got a lot of attention because they expressed concerns about the security of SMS messaging for sending out-of-band one-time passwords to mobile phones.
This has been widely misinterpreted as meaning:
• Using your mobile phone as a second factor when logging in to accounts is not secure (Not True);
• Use of SMS messaging for one-time passwords is being banned (Not True); and
• NIST does not recommend using two-factor authentication (2FA) (Very Much Not True).
The facts are that multi-factor authentication is safer than using only a user name and password and out-of-band one-time passwords can still be used. If you are using a mobile phone as a token for secure log-ins you should keep using it. But your bank, employer or other entity might want to change that in the future.
NIST is future-proofing its standards. It said (and said only in draft) that because of emerging risks to SMS messaging, “implementers of new systems should carefully consider alternative authenticators.” It also said that SMS “may no longer be allowed in future releases of this guidance.”
The flap
Because of the difficulties of managing really strong passwords, additional factors are being adopted to improve security when strong authentication is needed. A common scheme now is for a log-in site to generate a one-time password and send it via SMS (Short Message Service texting) to the user’s mobile phone. A log-in thus requires two factors: Something the user knows (a user-name and password) and something the user has (a specific mobile phone).
The confusion came with the public preview release of draft Special Publication 800-63 guidance for digital authentication. In the guidelines for lifecycle management (SP 800-63B) NIST noted that there are risks to using SMS. The first is that there is no guarantee that a SMS text is going to a mobile phone. If it goes to some online application, the security of using the phone as a physical token is lost. For this reason, the proposed guidelines require the authenticator to verify that the recipient of the message actually is a mobile phone.
Another risk is that a message can be intercepted and redirected, allowing a third party to receive the one-time password. Because of this, the draft guidelines “deprecated” the use of SMS for sending passwords.
Future proofing
NIST does not establish standards and guidelines capriciously. Its scientists realize that IT systems have long lives and that technology, threats and security requirements will change. So the institute looks ahead, preparing for the future. This includes warning system operators of likely changes so that they will have time to bring systems into compliance, and will not design new systems to specifications that will be outdated when they go into operation.
That’s what deprecation is about. It’s a warning. As explained by the program office of National Strategy for Trusted Identities in Cyberspace, “Deprecation is standards-speak for ‘you can use this puppy for now, but it’s on its way out.’ It’s a way of balancing the practicalities of today’s implementations with the needs of the future. While SMS is a popular and convenient option today, the security concerns of SMS as a second factor should be part of agencies’ decisions.”
The bottom line
Keep in mind that NIST sets standards only for federal agencies (although they often are adopted by the private sector as well). No one is saying we don’t need 2FA. No one is saying we shouldn’t use out-of-band delivery of one-time passwords or that we should not be using SMS for this now. But if you’re planning for a new system that will use multi-factor authentication, NIST suggests that you consider alternatives to SMS.