Using SMS for Two-factor Authentication is not all that safe after all
Two-factor authentication is a measure taken in online account sign in to verify authorized access to users accounts. The two-factor is now popular and is a sure way of making sure that hackers do not get access to accounts after breaching log-in data. The two-factor authentication system requires that you have a second code, sent to your mobile device, to access an account. For an attacker to access your account, they need to have access to your mobile, which is not normally the case.
Corporate organizations and daily-use applications such as email accounts are using the two-factor authentication system nowadays. The most common implementation of this secure authentication method is sending the code via SMS.
Apparently, the use of SMS as a means of authentication is not all that safe, at least according to the National Institute of Standards and Technology (NIST). NIST is a US federal agency that determines technological standards.
NIST recently published Digital Authentication Guidelines, which outline how state-affiliated agencies should identify users accessing their systems remotely. The guidelines have clear sets of dos and don’ts for Out-of-band (OOB) authentication. OOB authentication requires a second login code, sent to an individual’s smartphone, to confirm authorized access to an account.
“OOB via SMS is obsolete and will soon be disallowed,” the Digital Authentication Guidelines draft read. The guidelines are minimal on the reasons SMS will no longer be a viable means of two-factor authentication. However, it is likely that NIST is concerned with the security of SMS transmissions. We have previously seen attackers and governments intercept messages sent via SMS.
NIST issued further guidelines of using SMS for login authentication. The standards body advised that if an organization should use SMS in authentication, it should confirm if the number they are sending a message to be associated with a mobile network and not a VoIP or other software connected service.
The guidelines have also defined the two most critical requirements of an OOB authenticator. An OOB authenticator device should be uniquely addressable, and the communication over the device should be private and secure. The guidelines should not come as a surprise as some voice-over-IP services deliver voice calls and text messages without the existence of a real mobile or telephone device. NIST insists that OOB authentication should not use such networks.
It is the presumption of many that the ability to receive and respond to an email message proves possession of an account or a mobile device. NIST warns against using an email as a form of OOB authentication. NIST further advises that an OOB authentication message sent to a smartphone should not display on the locked screen of the device. The draft recommends that companies should ditch SMS authentication for application-based authentication. “Smartphone applications employ secure communications and notification protocols.”
Biometrics is another widely known secure method of authentication. However, NIST advises against it for OOB authentication. In the recent past, the cases of biometric false match rates and biometric non-false match rates have risen. These rates do not present biometrics as a viable OOB authentication method.