Towards the end of July 2016, the National Institute of Standards and Technology (NIST) started the process of deprecating the use of SMS-based out-of-band authentication. Updated guidelines stated that SMS-based two-factor authentication is not secure and should be banned. It is not only insecure but also inconvenient for users, we will explain to you why we think so.
Updated guidelines of NIST
Out-of-band authentication such as SMS is often used in financial institutions, governments and other organisations with high-end security requirements. However, NIST argues that SMS-based two-factor authentication is an insecure process because it is too easy for anyone to the specific SMS authentication code. As NIST explains it in the updated guidelines: “it is acceptable for now, but SMS will no longer be allowed in future releases of this guidance. Due to the risk that SMS messages may be intercepted or redirected, implementers of new systems should carefully consider alternative authenticators.”
Since SMS-based 2FA is common among organisations, a large number of businesses world wide, will need to change their remote authentication processes or deviate from NIST guidance.
Banks and other online services providers still send two-factor authentication codes to their customers via SMS. However, experts have known for years that there are vulnerabilities in the system.
Why is SMS is not secure as authentication method?
Hackers can call up your phone company pretending to be you, then convince the support desk there to redirect your messages to a different SIM card. Following are recent examples
- The Marcher Banker Malware resurfaced earlier this year and is now capable of stealing SMS information directly from your device
- In April of 2016, 60 Minutes interviewed the team responsible for discovering the now-famous SS7 global network vulnerability
- In May 2016, a vulnerability was discovered within Qualcomm’s CVE-2016-2060 software package that could allow for remote access of SMS libraries on both Android and iOS devices
- In June 2016, the Chief Technologist of the Federal Trade Commission outlined how her identity was stolen merely through porting her phone number to a new device
Alternatives to SMS
It’s truth that the vast majority of people would be better off using SMS 2FA rather than using no two-factor method at all. Experts said alternative authentication methods, such as smart cards and on-device authentication apps provide better security. It’s desirable that any out-of-band alternative to SMS authentication should deliver strong authentication, multifactor authentication and push notifications with application relevant information as for example authorization and/or consent. Fully auditable and in compliance with international standards and regulations.
Welcome to the world of ConsentID. It operates from any device: mobile, tablet or desktop and different operating systems. AET brings more than 15 years of experience to ConsentID authentication and signing service. A flexible, easily adaptable and integrated solution for any business application. Read more on ConsentID.