A U.S. government agency said the end is nigh for SMS-based two-factor authentication, citing a lack of security around the feature.
The latest draft version of the Digital Authentication Guideline issued this week by the U.S. National Institute for Standards and Technology (NIST) said the practice would soon be discouraged.
The Digital Authentication Guideline sets the rules that all authentication software eventually follows.
Acknowledging there’s a risk that SMS messages can be intercepted or redirected, NIST is encouraging any service considering adopting two-factor authentication in the future to “consider alternative authenticators.”
In the document, NIST claims that services need to verify the phone number it sends codes to belongs to a legitimate network and not a VoIP service, before stating the method may be discouraged in future releases.
“If the out of band verification is to be made using a SMS message on a public mobile telephone network, the verifier SHALL verify that the pre-registered telephone number being used is actually associated with a mobile network and not with a VoIP (or other software-based) service.”
“Changing the pre-registered telephone number SHALL NOT be possible without two-factor authentication at the time of the change. OOB using SMS is deprecated, and may no longer be allowed in future releases of this guidance,” the document reads.
The document does support biometrics, at least in limited use, for authentication. As long as biometrics is used alongside another authentication factor, it’s permissible, NIST claims. Biometric authentication on its own can have false match rates, can be spoofed, and “do not provide confidence in the authentication of the subscriber by themselves.”
NIST has stressed the document is a public preview, meaning the processes aren’t in play yet and are still subject to comment. NIST will seek comments for roughly two weeks and follow it up by a 2-3 week period for editors to review those comments.
The agency is seeking comment on SP 800-63-3 via GitHub. While the platform may seem like an unorthodox choice, NIST said it considers the site a robust forum for drafting the document and is encouraging substantive technical and procedural comments. NIST first called on the public to help the agency map out the guideline when it previewed it on GitHub initially, in May.
Several services have already begun moving away from two-factor authentication. Facebook uses something called Code Generator as part of its login approvals feature. When a user turns it on, they’re asked for a special security code, which changes every thirty seconds, upon logging in. Google has a similar function, Google Authenticator, that supplies users with a six- to eight-digit one-time password. Companies such as Authy and Duo specialize in solutions as well.
Two-factor authentication has become almost ubiquitous over the last several years. The functionality, which allows services to send users a code to enter, along with a password, as an added layer of security has been adopted across multiple industries. Companies such as Apple, Dropbox, Snapchat, Evernote, and Twitter have adopted two-factor authentication to combat account takeovers and compromises.
Still, 2FA is no silver bullet; attackers and researchers alike have poked holes in the method, mainly via man in the middle attacks. Two years ago, researchers from Duo found a way to bypass the mechanism used in PayPal and transfer money from a victim’s account to any recipient they chose. Vulnerabilities have also surfaced in plugins offered by WordPress, Google, and Instagram that enabled hackers to bypass two-factor authentication.