Skip to content

In Support of 2FA: Why NIST’s Recommendation Is a Step in the Wrong Direction

August 3, 2016

Telesign Team

The following post first appeared on LinkedIn.

In case you missed it, let’s recap last week’s rollercoaster of cybersecurity news. The U.S. National Institute for Standards and Technology (NIST) released their draft Digital Authentication Guideline (Special Publication 800-63) for public comment, which included a recommendation to deprecate SMS-based two-factor authentication.

What followed was a media storm pronouncing the end of SMS-based two-factor authentication (2FA). Many in the cybersecurity and technology space were caught off guard by this aggressive coverage, which ranged from “SMS-based two-factor authentication will soon be banned” to “NIST declares the age of SMS-based 2-factor authentication over.” Even NIST themselves were surprised by the media maelstrom their draft received, and deemed it necessary to publish a follow up piece clarifying their position.

As someone who has worked in the cyber security space for years, presently at Telesign helping many of the world’s largest website and mobile applications protect their end-user accounts from fraud and compromise, I’m sharing our perspective.

Special Publication 800-63-3

To start, NIST is a federal agency that works with industry to develop and apply technology, measurement and standards. They are not a regulatory body and there are very few entities, aside from federal agencies, that are required to conform to the standards they publish. In fact, the majority of consumer-facing web and mobile apps today do not conform to their existing standards.

The publication being referred to in the media is NIST’s draft Digital Authentication Guideline (Special Publication 800-63), which they recently published for comment and is not yet final. The document provides technical and procedural guidelines to agencies implementing electronic authentication to choose and implement effective authentication processes based on risk. The recommendation covers remote authentication of users (such as employees, contractors, or private individuals) interacting with government IT systems over open networks. In the document, NIST notes:

“Due to the risk that SMS messages may be intercepted or redirected, implementers of new systems SHOULD carefully consider alternative authenticatorsÉ OOB using SMS is deprecated , and may no longer be allowed in future releases of this guidance.”

While the document is not very forthcoming regarding the detailed rationale for the decision to deprecate SMS one-time passcode (OTP) 2FA, we believe it is based on security exploits disclosed over the years in the Signaling System 7 (SS7) network, that while technically possible to achieve, are difficult to accomplish, and such attacks are extremely unlikely to affect the average consumer. In this case, NIST does not consider usability and practicality for their standards – they only consider the possibility of attack, and are almost entirely focused on ensuring federal networks are secure.  For consumer web and mobile applications, there are very few more practical solutions than SMS given its universal applicability and broad acceptance.

A Blow to Consumer Security

Telesign believes the document and resulting media coverage actually does a disservice to consumers. In an age where the password is failing (2016 Verizon DBIR – 63% of confirmed data breaches involved stolen, weak or default passwords), it is clear that more account security is needed not less. Scaring consumers away from a readily available protection measure such as 2FA via SMS based on difficult to achieve, and highly targeted threats is not conducive to broader increased security. The best defense is a layered security approach and 2FA provides a significant layer for any company. A number of publications and security experts agree with this and have taken a more balanced approach to this story:

As Engadget’s Violet Blue states while referring to the fear-inducing media coverage of the report, “If they’re reading Apple Insider or Sci Tech as gospel, the logical next step would appear to be quitting two-factor altogether. Or, just setting fire to your laptop and throwing it out the window.”She goes on to say, “it’s a bad message to send. As many people as possible should be adding this second step to logging in because they are not edge cases, and 2FA is actually making the general public safer.”

Targeted Attacks, Not ÔEn Masse’

One of the key rationale for the stance on SMS OTP is the belief by NIST that these types of attacks can be increasingly performed on a large scale.  As per their blog post post:

“We’re continually tracking security research on the evolving threat landscape. Following on our approach to limit scalability and remote attacks, security researchers have demonstrated the increasing success (read: lower cost in time and effort and higher success rates) of redirecting or intercepting SMS messages en masse.”

As a licensed Mobile Network Operator (MNO) in the United Kingdom and the Netherlands, and direct access to the SS7 network, Telesign has a particularly good view and understanding of the potential threats and disclosed vulnerabilities in that network.

Underlying signaling technologies like SS7 will have vulnerabilities and we in the security business deal with those vulnerabilities by augmenting, securing or replacing them. The security of the SS7 networks outside the United States has been lacking, but given the broad disclosure of specific vulnerabilities in 2014, mobile network operators worldwide have worked hard to add additional security to large portions of these networks.In terms of the disclosed vulnerabilities and demonstrated hacks of the SS7 network that likely led to the NIST position on SMS OTP, it is certainly possible to intercept or redirect messages in some parts of the world – although still extremely difficult and requires working closely with a telecommunications operator in some fashion (access few hackers actually have at their disposal).

But this is the stuff left for nation states and highly targeted attacks on high value targets.  Not the types of day-to-day threats that your average consumer is facing, and certainly shouldn’t keep them from enabling SMS OTP based 2FA everywhere it’s available.

What Next?  Turn on 2FA

Security is constantly evolving. My team is using data and machine learning to assess risk even before an SMS OTP is sent, using indicators such as velocity, anomalies, SIM swaps, and call forwarding, to make it even harder for attackers to take over accounts protected by SMS OTP based 2FA. At Telesign, we also help customers deploy new technologies such as push notifications, code challenges, and behavioral biometrics that further authenticate users Ôbehind the scenes’ – no passcodes required.

But the reality is that fraudsters will always seek out ways to compromise end-user accounts. The key is putting in place as many roadblocks as possible to make their efforts more difficult or costly.

We firmly believe the password must die and be replaced by stronger, more secure methods of online accounts. To date, SMS OTP remains the most viable additional layer of account security for consumers today due to the ubiquity and convenience of the mobile phone.

Everyone should turn it on to protect their accounts and stay safe online.”