Your IT Consultant

The Death of SMS-Based Two Factor Authentication

July 27, 2016

You should be using two factor authentication (2FA) wherever you can. For those less technically inclined, 2FA uses a second factor (typically a token or code sent via text message) along with your password to authenticate access. More and more applications and services are providing 2FA as a way to help secure your logon credentials. A very common way to implement 2FA is to register your cell phone number so the provider can send you a code via text message (SMS). Well, those days are numbered.

The National Institute of Standards and Technology (NIST) is changing the rules by which authentication software must abide in the latest draft of Special Publication 800-63B Digital Authentication Guideline. The change is being made because SMS is relatively insecure because messages can be redirected to a VoIP service and not an actual mobile number.

"If the out of band verification is to be made using a SMS message on a public mobile telephone network, the verifier SHALL verify that the pre-registered telephone number being used is actually associated with a mobile network and not with a VoIP (or other software-based) service. It then sends the SMS message to the pre-registered telephone number. Changing the pre-registered telephone number SHALL NOT be possible without two-factor authentication at the time of the change. OOB using SMS is deprecated, and will no longer be allowed in future releases of this guidance."

This means that services can continue to use SMS as long as virtualized phone numbers are not used. A better alternative is to use dedicated 2FA apps such as Google Authenticator, Duo, Authy, etc. or dedicated secure devices like a dongle or RSA SecurID.

E-mail: Phone: 703.359.0700
Digital Forensics/Information Security/Information Technology
http://www.linkedin.com/in/johnsimek
http://www.senseient.com