July 26, 2016

SMS-based Two Factor Authentication now discouraged by US Govt.

The USA's National Institute of Standards and Technology (NIST), responsible for creating many of the standards used in technology and software today, has released its latest draft of the "Digital Authentication Guideline". In it, they actively discourage the use of SMS (text) messages for the purpose of delivering two factor authentication codes.

Due to the risk that SMS messages may be intercepted or redirected, implementers of new systems should carefully consider alternative authenticators. ... [Out of band] using SMS is deprecated, and may no longer be allowed in future releases of this guidance."
- NIST Digital Authentication Guideline,

Sending two factor codes via SMS is still super common at the moment, and many websites that enforce 2FA have a fallback option like "App not working? Send an SMS instead". It means that complete trust must be placed in telecom providers to assure that the number you're texting is the number receiving the text, that the number can only be reassigned by its true owner, and that no interception of the message can occur between the sender and receiver. Intercepting or redirecting SMS messages was historically a task that only well-organized criminals or nation states could pull off, but it's been proved that it's now easier than ever.

A 2FA-enabled twitter account was hacked, after attackers called up Verizon, impersonating the user over the phone, and asked for their number to be rerouted to their "new phone". Verizon switched the victim's number to point at the attacker's SIM card, and hey presto, all 2FA verification codes went to the attackers phone. Most carriers have some process for doing this when a customer loses their phone, and many have lax identity verification practices. The same attack vector has been used to take over multiple popular Youtube accounts.
Activists in both Iran and Russia have had Twitter and messaging apps accounts compromised, allegedly by nation-state attackers, who colluded with telcos to intercept their SMS messages. SS7, a widely-used telephone carrier protocol, has had its weaknesses openly discussed for years, and last month a step-by-step "How to take over a Facebook account" video was released by security researchers. Malware on mobile devices can also be a source of compromise.

Two-factor protected login prompt

Where to from here? 2FA Providers like Authy, Duo, and Google Authenticator let users generate the codes on your device using their apps. Application developers should support these app-based providers, instead of manually sending codes over SMS. Developers who already support those apps can turn off the fallback option of sending a 2FA code via SMS. And for the providers themselves, they should look at context around who is using the app when that 2FA request comes in. Is it on a known device, in a location that they usually use it, at a time that they usually use it, and being used in a way consistent with their past behavior? Take a look at Android's new Trust API for a glimpse of this future.

SMS-based 2FA is on the way out, but two factor in general will remain a fantastically worthwhile process for a long time to come. The more layers of (well tested) and intelligent security you add, the harder you make it for an account to be compromised when one of those layers fails.

Tweet this article!

Try ThisData for free!


The future of authentication

Today I’m excited to announce a deal that we have been working on for the past few months and how that will impact the future of contextual ...

Introducing custom security rules

For the past few years we’ve been working hard to create a plug and play adaptive risk engine. We designed our core service using a mix of b ...