Article posted: Oct 12, 2016
By Marcus Hartwig, GM Americas
When the National Institute of Standards and Technology (NIST) declared over the summer that SMS-based, two-factor identification should be put into the scrap heap of history, lots of us in the industry breathed a sigh of relief.
For those who are not familiar with the work of the NIST, the government agency is charged with creating guidelines and rules for all sorts of measurements, including those relating to securing electronic communications. NIST guidelines are generally regarded as the gold standard for our industry (specifically around cryptography ciphers, key-length and more). Its recommendations are implemented by virtually all security authentication vendors. And now NIST - in its Digital Authentication Guideline, Authentication and Lifecycle Management - is saying that anyone using SMS should start looking for alternatives.
At Versasec, we've been saying all along that one-time passwords (OTP) and SMS are far inferior to a true cryptographic logon using smart cards. The chasm between these methods is very deep. OTP authentication makes use of rather short computer generated passwords. These passwords are often provided to the user with none or very weak authentication. Smart Card PKI authentication, in contrast, is a true multifactor authentication procedure, where the user must authenticate to the smart card (with a PIN code or fingerprint) before the smart card calculates the non-reputable and very long authentication code.
Anyone charged with protecting a company's assets should never even utter the terms OTP and SMS. SMS messages are easy to intercept and even redirect.
The net is that NIST is deprecating the use of SMS as an "out of band authenticator." In its report, which solicits public comment, NIST says that for now, services need to verify that the phone number it sends codes to actually is part of a legitimate network rather than a VoIP or other service. In this case, the SMS message then gets sent to a verified phone number that cannot be changed without two-factor authentication.
That's why business should have moved far away from weak SMS already with dedicated two-factor authentication solutions like smart cards. For now OTP solutions such as RSA SecurID are also acceptable, but who knows for how long? What the NIST and others have learned is that in addition to its security flaws with malware, mobile users can easily be duped into sending their password reset codes as is evidenced in this NYU research paper.
Even when SMS is considered a secondary communications channel that depiction is generally inaccurate. Here's an example: If one uses iMessages, it would enable SMS to be delivered over the internet and to all of one's Apple devices.
As an added bonus, solutions involving smart cards are far more convenient for the user -there is no need to read a code from one device and enter it manually on another, for example. Smart cards can be used for so many more use cases than OTP, including for file encryption, digital signatures, visual identification, physical access control using RFID/NFC and more.
Want to hear more about the much safer alternative of smart cards and how easily they can be managed? -Contact us!