UPDATED–The move toward two-factor authentication and two-step verification for high-value services has been a positive one for user security, but many of those services use SMS as the channel for the second step in the authentication process, a method that the United States government is preparing to recommend against using.
The National Institute of Standards and Technology has published draft guidance that recommends against companies and government agencies using SMS as the channel for out-of-band verification. Many services that have deployed 2FA or 2SV as part of the authentication process use SMS to deliver short codes that users then enter into an app or site. However, text messaging isn’t considered a secure channel and NIST is now saying that the use of SMS as a channel for out-of-band verification won’t be permitted in future versions of its Digital Authentication Guideline.
“If the out of band verification is to be made using a SMS message on a public mobile telephone network, the verifier SHALL verify that the pre-registered telephone number being used is actually associated with a mobile network and not with a VoIP (or other software-based) service. It then sends the SMS message to the pre-registered telephone number,” the guidance says.
“Changing the pre-registered telephone number SHALL NOT be possible without two-factor authentication at the time of the change. OOB using SMS is deprecated, and will no longer be allowed in future releases of this guidance.”
From a security perspective, the change from NIST is a positive one, experts say. It pushes the authentication industry toward a more secure option and will have an effect on government agencies, which follow the NIST guidance.
“For the average case of a large web service that’s using SMS for two factor, this doesn’t mean SMS is going away. SMS is still far better than no two factor at all,” said Jon Oberheide, CTO of Duo Security, which makes two-factor authentication software.
“For the government, this is a good thing. It’s good from an authentication industry perspective, because it starts moving things forward.”
Another problem with text-based 2FA is that the codes sometimes will show up on the lock screen of a user’s phone, allowing anyone within sight of the phone to obtain the code. The more secure method, which is used by a number of services, including Gmail, is to have a separate app on the user’s device that generates a unique code that the user then enters on the site.
The NIST guidelines also discuss the use of biometrics, but says that the agency only supports their use as authenticators in limited circumstances. NIST says that biometrics aren’t considered secret and some of them can be obtained by attackers through various methods, making them somewhat susceptible to forgery.
“They can be obtained online or by taking a picture of someone with a camera phone (e.g. facial images) with or without their knowledge, lifted from through objects someone touches (e.g., latent fingerprints), or captured with high resolution images (e.g., iris patterns for blue eyes),” the guidelines say.
As a result, NIST says biometrics are supported for authentication, but only with an additional factor, such as a password or hardware token.
This story was updated on July 26 to add comments from Oberheide.