This post first appeared on my SAP Blog on July 6, 2017.
In late July 2016, there were a significant number of news stories that have “declared the end of 2FA over SMS,” as the US NIST has recommended that the Out-of-Band delivery channel of SMS for 2FA tokens to be deprecated in the next version of their guidelines.
In the draft document of June/July 2016 timeframe, Section 22.214.171.124 ended with:
Due to the risk that SMS messages may be intercepted or redirected, implementers of new systems SHOULD carefully consider alternative authenticators. If the out of band verification is to be made using a SMS message on a public mobile telephone network, the verifier SHALL verify that the pre-registered telephone number being used is actually associated with a mobile network and not with a VoIP (or other software-based) service. It then sends the SMS message to the pre-registered telephone number. Changing the pre-registered telephone number SHALL NOT be possible without two-factor authentication at the time of the change. OOB using SMS is deprecated, and may no longer be allowed in future releases of this guidance.
This unfortunate revelation was picked up by several news organizations including:
- TechCrunch: NIST declares the age of SMS-based 2-factor authentication over
- The Register: US standards lab says SMS is no good for authentication
- CXO today.com: SMS Based Two-Factor Authentication Will End Soon
- CNET: SMS-based two-factor authentication will soon be banned
- Sci-Tech Today: Say Goodbye to SMS Two-Factor Authentication
While this was a selection of industry and general news organization, it was certainly not a comprehensive list, with many more publications jumping all over 2FA over SMS. Regrettably, the headlines, as you can see, were quite misleading and we believe this did damage to concept of 2FA via the SMS channel. This draft recommendation from NIST also lead to considerably lobbying by numerous organizations including the US CTIA.
Something must have worked.
In the June 2017 release of the NIST Special Publication 800-63B (Digital Identity Guidelines: Authentication and Lifecycle Management), the recommendation to deprecate SMS as an out-of-band channel for 2FA is no longer in place. It’s gone! Removed from the document!
Section 126.96.36.199 no longer makes any mention of “deprecating SMS.” In fact, Section 188.8.131.52 acknowledges that SMS may be a specific out-of-band device:
Authenticate to a public mobile telephone network using a SIM card or equivalent that uniquely identifies the device. This method SHALL only be used if a secret is being sent from the verifier to the out-of-band device via the PSTN (SMS or voice).
There is no longer mention of deprecating SMS in this release or any other.
That notation and some other text clearly states that SMS (and voice) may be used as an out-of-band channel (e.g. through the usage of the Public Switched Telephone Network or PSTN). The document is clear that the possession of a mobile device should be authenticated by a SIM card and specifically rules out email or VoIP channels as they do not “prove possession of a specific device.”
This rules out certain types of messaging apps that can run on a SIM card mobile device as well as a desktop or other device, not uniquely identified by a SIM card: Facebook Messenger, WhatsApp, WeChat, Google Voice and many others. But traditional SMS and even RCS may be used.
We can still point to some vulnerabilities with SMS, as some recent headlines have highlighted (notice how news organizations are quick to publish the bad, but when the industry stands somewhat vindicated on our complaints that while not perfect, SMS as a 2FA channel is still extremely valid). In the final document, the NIST does point out that:
If out-of-band verification is to be made using the PSTN, the verifier SHALL verify that the pre-registered telephone number being used is associated with a specific physical device. Changing the pre-registered telephone number is considered to be the binding of a new authenticator and SHALL only occur as described in Section 6.1.2.
Furthermore, they caution implementers that:
Verifiers SHOULD consider risk indicators such as device swap, SIM change, number porting, or other abnormal behavior before using the PSTN to deliver an out-of-band authentication secret.
The mobile industry – especially Mobile Network Operators — have already deployed numerous controls to combat SIM swaps, SMS interception and other threats to the most widely used 2FA channel that were rare, still caused some undesirable effects for a very small handful of subscribers. While admittedly not perfect, SMS is still the most widely used and most effective manner for people to add a 2nd factor of authentication to protect themselves as well as the company providing the service.
Furthermore, global industry associations, such as the GSM Association have active work groups, devising additional standards to extend security of A2P SMS to cover 2FA as well as other types of high-value enterprise messaging. This will only improve SMS as an out-of-band channel.
This is very good news for the authentication segment of the industry and certainly supporters of 2FA over SMS. With NIST’s acknowledgement that SMS is still a valid out-of-band authentication channel for 2FA, it proves, that despite some known, but rare threats, global push-back and valid counterarguments have resulted in a major influencer walking back considerations that could have resulted in countless people not having a simple SMS-based option for Two-Factor Authentication.
Thank you, NIST!