Followers of the Bach Seat know that passwords suck and no longer provide reliable security. Because automated mass cybercrime attacks are hammering businesses daily, the National Institute of Standards and Technology (NIST) is disrupting the online security status–quo. According to InfoWorld, the US government’s standards body has decided that passwords are not good enough anymore. NIST now wants government agencies to use two-factor authentication (2FA) to secure applications, networks, and systems.
Two-factor authentication is a security process where the user provides two means of identification from separate categories of credentials. The first is typically something you have, a physical token, such as a card. The second is usually something you know like a PIN number.
The proposed standard discourages organizations from sending special codes via SMS messages. Many services offer two-factor authentication. They ask users to enter a one-time passcode sent via SMS into the app or site to verify the transaction. The author writes that weaknesses in the SMS mechanism concern NIST.
NIST now recommends that developers use tokens and software cryptographic authenticators instead of SMS to deliver special codes. They wrote in a draft version of the DAG; “OOB [out of band] using SMS is deprecated and will no longer be allowed in future releases of this guidance.”
Federal agencies must use applications that conform to NIST guidelines. This means for software to be sold to federal agencies, it must follow NIST guidelines. InfoWorld says this is especially relevant for secure electronic communications.
SMS-based Two-Factor Authentication is considered insecure by NIST for a number of reasons. First, someone other than the user may be in possession of the phone. The author says an attacker with a stolen phone would be able to trigger the login request. In some cases, the contents of the text message appear on the lock screen, which means the code is exposed to anyone who glances at the screen.
InfoWorld says that NIST isn’t deprecating SMS-based methods simply because someone may be able to intercept the codes by taking control of the handset, that risk also exists with tokens and software authenticators. The main reason NIST appears to be down on SMS is that it is insecure over VoIP.
The author says there has been a significant increase in attacks targeting SMS-based two-factor authentication recently. SMS messages can be hijacked over some VoIP services. SMS messages delivered through VoIP are only as secure as the websites and systems of the VoIP provider. If an attacker can hack the VoIP servers or network they can intercept the SMS security codes or have them rerouted to her own phone. Security researchers have used weaknesses in the SMS protocol to remotely interact with applications on the target phone and compromise users.
Sophos’ Naked Security Blog further explains some of the risks. There is malware that can redirect text messages. There are attacks against the Signalling System 7 (SS7) protocol. SS7 controls how the phone system works. (rb- Some believe that TLA’s hacked SS7 to spy on citizens.) This hack allows an attacker to divert the SMS containing a one-time passcode to their own device, which lets the attacker hijack any service, including Twitter (TWTR), Facebook (FB) or Google (GOOG) Gmail, that uses SMS to send the secret code to reset the account password.
Mobile phone number portability also poses a problem for SMS security. Sophos says that phone ports, also known as SIM swaps can make SMS insecure. SIM swap attacks are where an attacker convinces your mobile provider to issue you a new SIM card to replace one that’s been lost, damaged, stolen or that is the wrong size for your new phone.
Sophos also says in many places it is very easy for criminals to convince a mobile phone store to transfer someone’s phone number to a new SIM and therefore hijacking all their text messages.
ComputerWorld highlights a recent attack that used social engineering to bypass Google’s two-factor authentication. Criminals sent users text messages informing them that someone was trying to break into their Gmail accounts and that they should enter the passcode to temporarily lock the account. The passcode, which was a real code generated by Google when the attackers tried to log in, arrived in a separate text message, and users who didn’t realize the first message was not legitimate would pass the unique code on to the criminals.
“NIST’s decision to deprecate SMS two-factor 
authentication is a smart one,” said Keith Graham, CTO of authentication provider SecureAuth. “The days of vanilla two-factor approaches are no longer enough for security.”
For now, applications and services using SMS-based authentication can continue to do so as long as it isn’t a service that virtualizes phone numbers. Developers and application owners should explore other options, including dedicated two-factor apps. One example is Google Authenticator, which uses a secret key and time to generate a unique code locally on the device for the user to enter into the application.
Hardware tokens such as RSA’s SecurID display a 
new code every few seconds. A hardware security dongle such as YubiKey, used by many companies including Google and GitHub, supports one-time passwords, public-key encryption, and authentication. Knowing that NIST is not very happy with SMS will push the authentication industry towards more secure options.
Many popular services and applications offer only SMS-based authentication, including Twitter and online banking services from major banks. Once the NIST guidelines are final, these services will have to make some changes.
Many developers are increasingly looking at fingerprint recognition. ComputerWorld says this is because the latest mobile devices have fingerprint sensors. Organizations can also use adaptive authentication techniques, such as layering device recognition, geo-location, login history, or even behavioral biometrics to continually verify the true identity of the user, SecureAuth’s Graham said.
NIST acknowledged that biometrics is becoming more widespread as a method for authentication, but refrained from issuing a full recommendation. The recommendation was withheld because biometrics aren’t considered secret and can be obtained and forged by attackers through various methods.
Biometric methods are acceptable only when used with another authentication factor, according to the draft guidelines. NIST wrote in the DAG;
[Biometrics] can be obtained online or by taking a picture of someone with a camera phone (e.g. facial images) with or without their knowledge, lifted from objects someone touches (e.g., latent fingerprints), or captured with high-resolution images (e.g., iris patterns for blue eyes)
At this point, it appears NIST is moving away from recommending SMS-based authentication as a secure method for out-of-band verification. They are soliciting feedback from partners and NIST stakeholders on the new standard. They told InfoWorld, “It only seemed appropriate for us to engage where so much of our community already congregates and collaborates.”
You can review the draft of Special Publication 800-63-3: Digital Authentication Guidelines on Github or on NIST’s website until Sept. 17. Sophos recommends security researcher Jim Fenton’s presentation from the PasswordsCon event in Las Vegas that sums up the changes.
VentureBeat offers some suggestions to replace your SMS system:
- Hardware tokens that generate time-based codes.
- Apps that generate time-based codes, such as the Google Authenticator app or RSA SecurID,
- Hardware dongles based on the U2F standard.
- Systems that use push notifications to your phone.
Related articles
Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedIn, Facebook, and Twitter. Email the Bach Seat here.
The typical U.S. user can have up to 130 online accounts and hopefully, they have 130 different passwords on these accounts. When setting up the 130 different passwords on these 130 accounts – you have undoubtedly seen the hate message
The story goes back to Gutenberg‘s innovation of moveable type and the printing press (1450 A.D.). With Gutenberg’s printing press the compositor (“person who sets the type or text for printing”) stored the individual pieces of metal type in boxes called cases. The smaller letters (along with the type for punctuation and spaces), which were used most often, were kept in a lower case that was easier to reach. Capital letters, which were used less frequently, were kept in an upper case. Because of this old storage convention, we still refer to small letters as lowercase and capital letters as uppercase.
Fortunately, the tide against using case as a password complexity factor has turned. The National Institute of Standards and Technology (NIST) now recommends everyone use longer passwords or passphrases of 15 or more characters without requiring uppercase, lowercase or special characters. NIST 800-63B says enforcing unnecessary password complexity requiring a mix of special characters, numbers and uppercase letters is a practice that can stop.
2FA is a way to mitigate risks associated with unauthorized access, especially in the current COVID-19 era of
Among those other, better practices, Mr. Margosis mentioned 
SMS authentication is one of the major security mechanisms for services like 
CBS correspondent 
Representative Lieu has called for a congressional investigation of the vulnerabilities in SS7. He wrote that “The applications for this vulnerability are seemingly limitless, from criminals monitoring individual targets to foreign entities conducting economic espionage on American companies to nation states monitoring U.S. government officials.” Lieu said the investigation should be conducted by the 