The state of two-factor authentication by text: What security pros need to know

The latest addition to a little-known set of guidelines has put the squeeze on the most popular way of improving account security: The use of text and other messaging services as a vehicle for sending one-time passwords used in many multifactor authentication schemes.

In the May 2016 draft of the Digital Authentication Guideline, the National Institute of Standards and Technology (NIST) proposed either doing away with sending passcodes for two-factor authentication via a text delivered to a mobile phone through the short message service (SMS), or forcing providers to take extra security steps to harden the security measure against circumvention. The problem: Attackers have already found ways around the security check, either by compromising the phone or by redirecting the messages using social engineering, a virtual phone, or a network hack. 

"Due to the risk that SMS messages may be intercepted or redirected, implementers of new systems should carefully consider alternative authenticators," the draft guidelines state. "If the out of band verification is to be made using a SMS message on a public mobile telephone network, the verifier shall verify that the pre-registered telephone number being used is actually associated with a mobile network and not with a VoIP (or other software-based) service."

SANS 2016 State of Application Security Report

What NIST's recommendation on two-factor authentication by text means for you

NIST's recommendations can often dramatically impact commercial offerings. If government agencies refuse to use a technology such as SMS for one-time passcodes for 2FA, businesses will often follow.  

However, NIST's recommendation is more nuanced than what most media outlets are reporting. While the federal technology office is recommending that other government agencies move away from SMS passcodes as a way to do out-of-band (OOB) authentication, NIST stopped short of a mandate.

"We proposed a deprecation rather than a complete removal in hopes of increased efficacy for agencies' investments in upgrading existing systems and building new ones," Paul Grassi, senior standards and technology advisor at NIST, said. "As systems are upgraded, we believe the options in the market for strong authentication—that are increasingly used by consumers—can also be used by agencies."

For security-conscious consumers and workers, two-factor authenttication is both a bane and boon. The technique, which adds a second type of security check whenever a person wants to access an account or data, can make it more difficult for users to access their accounts, but also makes it harder for hackers to compromise those accounts.

Common types of the account authentication strategy include sending a one-time password via text message, generating a one-time password with a hardware token, inserting a specialized USB token into a computer, scanning a fingerprint, or pushing a message to the user through a secure messaging service, such as those run by Apple or Google.

The problem with two-factor authentication: Users just don't get it

Unfortunately, most consumers just don't get two-factor authentication. While 70% worry that their passwords are not enough, only 39% have two-factor enabled on any of their online accounts, according to the 2015 Telesign Consumer Account Security Report. Of those that do use it, however, 90% feel it makes their online information more secure.

SMS one-time passwords are popular because they are easy to use and people do not need a special hardware token to use them. More people need to use 2FA technologies, experts say. And while any form of two-factor is better than none, they warn that attackers are increasingly able to circumvent insecure implementations of one-time passwords sent by text.

Some attacks get users to install a malicious app on their smartphone that can then read SMS messages and forward the codes to the attackers. Another exploit redirects SMS messages by hacking the cellular service using a variety of technical methods, or through social engineering, to forward codes to an attacker. "Common attacks—including a lot of banking trojans—use both the cellular vector and the malicious app vector," said Jon Oberheide, chief technology officer at Duo Security, provider of 2FA products. "Basically, the attacker finds a way to get access to that channel and pulls the SMS message."

A decade ago, security researchers found attacks that worked around text-based one-time passwords. In a recent blog post, the security firm Kaspersky Lab pointed out three criminal malware frameworks—Asacub, Acecard and Banloader—that have components to steal one-time passwords from mobile devices.

Text passcode workarounds

While NIST has recommended that federal agencies move to other technologies, it also gave alternative recommendations. An organization can use text-based one-time passwords if it can verify that the receiver of a one-time password is a pre-registered cellphone and not, say, a voice-over-IP line and does not allow changing the phone number for the service without the use of two-factor authentication to verify the identity of the person requesting the change.

"It is important to not throw the baby out with the bathwater," said Keith Graham, chief technology officer of SecureAuth, a provider of identity analytics. "There are ways to secure SMS today, if you can show the SMS number is not a virtualized number and it actually belongs to a physical devices."

NIST's recommendation will likely survive the comment period on the draft, since many have supported the deprecation of SMS OOB authentication. Deprecation does not mean that the technology is banned from use, but that agencies should use another technology, if available. 

That is an important distinction, since others point out that text-based two-factor authentication continues to be the simplest way for consumers to gain the benefits of a reasonable second factor of security. "It is convenient and simple, yet provides … a heightened level of security [compared to] out-of-wallet questions [or] an email verification to login," said one commenter. "We find this to be a great method to validate a registered identity with 2FA, and then promote to a more secure option. … We also see an issue with deprecating SMS OOB entirely as this is a firm method that leads to more 2FA adoption for consumer sites."

So what should security professionals do about all this?

  • If you haven't already, adopt two-factor authentication.
  • Begin considering a move to alternative forms of authentication if you are using text-only now.
  • If you can't immediately move to some other form of authentication, move to harden your two-factor authentication.
SANS 2016 State of Application Security Report
Topics: MobileSecurity