Followers of the Bach Seat know that passwords suck and no longer provide reliable security. Because automated mass cybercrime attacks are hammering businesses daily, the National Institute of Standards and Technology (NIST) is disrupting the online security status–quo. According to InfoWorld, the US government’s standards body has decided that passwords are not good enough anymore. NIST now wants government agencies to use two-factor authentication (2FA) to secure applications, networks, and systems.
Two-factor authentication is a security process where the user provides two means of identification from separate categories of credentials. The first is typically something you have, a physical token, such as a card. The second is usually something you know like a PIN number.
The proposed standard discourages organizations from sending special codes via SMS messages. Many services offer two-factor authentication. They ask users to enter a one-time passcode sent via SMS into the app or site to verify the transaction. The author writes that weaknesses in the SMS mechanism concern NIST.
NIST now recommends that developers use tokens and software cryptographic authenticators instead of SMS to deliver special codes. They wrote in a draft version of the DAG; “OOB [out of band] using SMS is deprecated and will no longer be allowed in future releases of this guidance.”
Federal agencies must use applications that conform to NIST guidelines. This means for software to be sold to federal agencies, it must follow NIST guidelines. InfoWorld says this is especially relevant for secure electronic communications.
SMS-based Two-Factor Authentication is considered insecure by NIST for a number of reasons. First, someone other than the user may be in possession of the phone. The author says an attacker with a stolen phone would be able to trigger the login request. In some cases, the contents of the text message appear on the lock screen, which means the code is exposed to anyone who glances at the screen.
InfoWorld says that NIST isn’t deprecating SMS-based methods simply because someone may be able to intercept the codes by taking control of the handset, that risk also exists with tokens and software authenticators. The main reason NIST appears to be down on SMS is that it is insecure over VoIP.
The author says there has been a significant increase in attacks targeting SMS-based two-factor authentication recently. SMS messages can be hijacked over some VoIP services. SMS messages delivered through VoIP are only as secure as the websites and systems of the VoIP provider. If an attacker can hack the VoIP servers or network they can intercept the SMS security codes or have them rerouted to her own phone. Security researchers have used weaknesses in the SMS protocol to remotely interact with applications on the target phone and compromise users.
Sophos’ Naked Security Blog further explains some of the risks. There is malware that can redirect text messages. There are attacks against the Signalling System 7 (SS7) protocol. SS7 controls how the phone system works. (rb- Some believe that TLA’s hacked SS7 to spy on citizens.) This hack allows an attacker to divert the SMS containing a one-time passcode to their own device, which lets the attacker hijack any service, including Twitter (TWTR), Facebook (FB) or Google (GOOG) Gmail, that uses SMS to send the secret code to reset the account password.
Mobile phone number portability also poses a problem for SMS security. Sophos says that phone ports, also known as SIM swaps can make SMS insecure. SIM swap attacks are where an attacker convinces your mobile provider to issue you a new SIM card to replace one that’s been lost, damaged, stolen or that is the wrong size for your new phone.
Sophos also says in many places it is very easy for criminals to convince a mobile phone store to transfer someone’s phone number to a new SIM and therefore hijacking all their text messages.
ComputerWorld highlights a recent attack that used social engineering to bypass Google’s two-factor authentication. Criminals sent users text messages informing them that someone was trying to break into their Gmail accounts and that they should enter the passcode to temporarily lock the account. The passcode, which was a real code generated by Google when the attackers tried to log in, arrived in a separate text message, and users who didn’t realize the first message was not legitimate would pass the unique code on to the criminals.
“NIST’s decision to deprecate SMS two-factor 
authentication is a smart one,” said Keith Graham, CTO of authentication provider SecureAuth. “The days of vanilla two-factor approaches are no longer enough for security.”
For now, applications and services using SMS-based authentication can continue to do so as long as it isn’t a service that virtualizes phone numbers. Developers and application owners should explore other options, including dedicated two-factor apps. One example is Google Authenticator, which uses a secret key and time to generate a unique code locally on the device for the user to enter into the application.
Hardware tokens such as RSA’s SecurID display a 
new code every few seconds. A hardware security dongle such as YubiKey, used by many companies including Google and GitHub, supports one-time passwords, public-key encryption, and authentication. Knowing that NIST is not very happy with SMS will push the authentication industry towards more secure options.
Many popular services and applications offer only SMS-based authentication, including Twitter and online banking services from major banks. Once the NIST guidelines are final, these services will have to make some changes.
Many developers are increasingly looking at fingerprint recognition. ComputerWorld says this is because the latest mobile devices have fingerprint sensors. Organizations can also use adaptive authentication techniques, such as layering device recognition, geo-location, login history, or even behavioral biometrics to continually verify the true identity of the user, SecureAuth’s Graham said.
NIST acknowledged that biometrics is becoming more widespread as a method for authentication, but refrained from issuing a full recommendation. The recommendation was withheld because biometrics aren’t considered secret and can be obtained and forged by attackers through various methods.
Biometric methods are acceptable only when used with another authentication factor, according to the draft guidelines. NIST wrote in the DAG;
[Biometrics] can be obtained online or by taking a picture of someone with a camera phone (e.g. facial images) with or without their knowledge, lifted from objects someone touches (e.g., latent fingerprints), or captured with high-resolution images (e.g., iris patterns for blue eyes)
At this point, it appears NIST is moving away from recommending SMS-based authentication as a secure method for out-of-band verification. They are soliciting feedback from partners and NIST stakeholders on the new standard. They told InfoWorld, “It only seemed appropriate for us to engage where so much of our community already congregates and collaborates.”
You can review the draft of Special Publication 800-63-3: Digital Authentication Guidelines on Github or on NIST’s website until Sept. 17. Sophos recommends security researcher Jim Fenton’s presentation from the PasswordsCon event in Las Vegas that sums up the changes.
VentureBeat offers some suggestions to replace your SMS system:
- Hardware tokens that generate time-based codes.
- Apps that generate time-based codes, such as the Google Authenticator app or RSA SecurID,
- Hardware dongles based on the U2F standard.
- Systems that use push notifications to your phone.
Related articles
Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedIn, Facebook, and Twitter. Email the Bach Seat here.
Linus Torvalds released the first Linux operating system kernel on Oct. 5, 1991. On Oct. 6, 1991, Torvalds began arguing with volunteer developers who would go on to make Linux an open-source powerhouse and eventually a household name. Today the Linux community is upwards of 86 million users strong.
As part of celebrations to mark Linux’s 25th birthday the Linux Foundation has published its annual Linux Kernel Development Report (PDF reg required). According to the Register, the report concludes that Linux is in great shape, “There may be no other examples of such a large, common resource being supported by such a large group of independent actors in such a collaborative way.”
While Linux may have started out as a hobby OS, that changed in the early 2000s. At the turn of the century, Wall Street banks demanded Linux support for their enterprise application servers says Tech News World.
Aporeto Virtualization Expert Stefano Stabellini, who has been a Linux user and open source advocate since the 1990s explained the transition. “… back when I started with Linux in the ’90s … [companies] did not understand it. They thought that open source was unsustainable, and Linux was niche and hobbyist.” He says that now everything has changed. Every company has an open source strategy now. “Microsoft (MSFT) was the biggest foe and now is a strong ally. Linux is the most widely adopted operating system of all times.”
It’s alive. It’s alive! BPL has risen from dead. Longtime readers of the 
ComputerWorld 
The 
It can eliminate having to carry a separate dongle as just about everyone has a mobile phone these days this is a mobile world we live in, and we need mobile-compatible solutions; otherwise, you’re behind the curve right out of the gate.
The July issue of the 
Some bots work to gain greater status by searching out and following popular or influential users or taking other steps to garner attention. Other bots are identity thieves, adopting slight variants of user names to steal personal information, picture, and links.