Is SMS out-of-band authentication out of time?
NIST begins to turn away from one of the most popular authentication options, SMS-based out-of-band. Should you be concerned?
These guidelines, found in NIST Special Publication 800-63-3, have attracted a lot of attention because based on the current draft, out-of-band authentication techniques that employ SMS messages are considered deprecated. While this does not mean they cannot be used, the overall direction is clear: the NIST specification indicates such techniques “may no longer be allowed in future releases of this guidance,” and additionally suggests that “implementers of new systems should consider alternative authenticators” (section 220.127.116.11).
Given the popularity of using SMS messaging for two-factor authentication, many people are wondering what they should do.
What should I do?
First, don’t panic! While there have been attacks against SMS-based out-of-band authentication over the years, many organizations have successfully implemented out-of-band mechanisms, particularly for consumer- and e-commerce-based authentication. It serves as an easy-to-deploy and scalable solution that is effective, and can be made more secure when coupled with risk management approaches.
Is a “secure” login credential a myth?
My son is 6 years old and about a year ago he became obsessed with Minecraft, which meant that I needed to learn how to play too. This was difficult for me, as my last gaming experience was Zork. My son and I learned very early on about Minecraft’s “creative mode,” where you can enjoy the game without any of the risks. Wouldn’t it be nice if this option was available for real life?
Unfortunately, there is no creative mode for authentication. Every login credential and mechanism can be compromised, including passwords, certificates, tokens, and now SMS-based out-of-band. Even biometrics are vulnerable.
Finding the appropriate credential
Organizations should align their authentication strategy with whatever applicable industry, regulator or association requirements that may apply, including those under scope of NIST. However, in many cases there is still considerable flexibility as to which authentication credentials or mechanisms can implemented.
So if all authentication credentials can be compromised, maybe the question is not which one to use, but rather which combination of credentials and mechanisms should be used to enhance security and minimize user friction. Maybe a password is perfectly fine for initial user login, and a bit stronger mechanism is only needed when a user attempts to access specific data or perform specific actions. Maybe we can further minimize user friction by only requesting stronger credential based on a risk analysis.
Analytics to the rescue
Contextual risk-based analysis and user behavioral profiling can be used at multiple points of a user’s session to enhance security while minimizing friction. For example, with regards to SMS-based out-of-band, we could use a risk evaluation when a user submits the one-time-passcode (OTP) sent via SMS to validate that it is being submitted from a known device that has been previously associated with the user, thus minimizing the dangers with the OTP being intercepted by a hacker. Or if risk analysis is used during login and we determine that the device is unknown, maybe we initiate an alternative step-up authentication mechanism rather than sending an OTP to a compromised device.
Ultimately, the goal is a secure login that confidently establishes you are who you claim to be. Using several routes to get there and converge on the final, securely authenticated destination is likely to produce the greatest user experience and the strongest level of assurance. For more information, come visit us at CA Advanced Authentication.