SMS is NOT a good out-of-band authentication method

← back to the blog

SMS is NOT a good out-of-band authentication method

With daily headlines announcing new cyberthreats from phishing, spoofing, social engineering, and the like, it should come as no surprise that one of the oldest technologies out there, SMS or “text-messaging,” is finally coming under attack by regulators. The latest draft of NIST’s authentication guidelines (National Institutes for Standards and Technology Special Publication 800-63 on Digital Authentication)  finally deprecated its support of SMS as a secure channel for authentication. The document states that “out-of-band authentications SHALL establish an authenticated and protected channel.”  This makes sense. The second-factor should be sent on a protected channel. Further the new Draft standard states “SMS is deprecated and may no longer be allowed in future releases of this document”. 

For those that follow security news, this is a welcome change. Even T-Mobile’s CEO knows that SMS has some problems, tweeting out a response to a video by h3h3productions, documenting how their accounts were hacked through SIM card customer service requests. (https://twitter.com/JohnLegere/status/751490098240167937).

Recently, a friend of mine showed me an email that came from the USA Social Security Administration (SSA) about privacy protection for their website (http://ssa.gov/myaccount).  The email says that as of August 2016, the SSA will require a cell phone to provide an additional one-time-passcode each time you log into your account.   Clearly the SSA is trying to reduce account takeovers. The SSA, arbiters of a key element of legal identities for every U.S. taxpayer and citizen, can’t even keep up with their own government standards.  I’m glad to hear the SSA is adding 2FA, but seeing the announcement at the same time as NIST’s report is pretty comical.  Talk about aiming for last place.

Despite the numerous, public hacks, SMS is still being used and rolled out. It’s not just slow, government agencies like the SSA.  Name-brand companies such as Facebook, Google, and Twitter are still using SMS for one-time passwords as well.  What is the reason?  Even with its weaknesses, SMS does add another layer of complexity to a typical spoof or credential theft.  It’s also a channel that is simple, easy to understand, and pervasive.  While some additional security is better than none, it is abundantly clear that using SMS at best a poor stop-gap. The real question is: what’s next?

We need to be pushing the boundaries of online identity and security.  We need innovation that isn’t just patchwork solutions of older technologies that are proving time and again to have vulnerabilities. These vulnerabilities exist because they were built in an age where the current use cases didn’t exist or were built alongside other layers due to expediency and holistic security best practices.  Ideally we should have solutions that not only meet the requirements set out by NIST but exceed them.  We need solutions that bring back quality user experiences without adding burdensome complexity. 

At Uniken we work on technology that is cutting edge, with deep stack innovation that aims to solve the Authentication and Channel problem at its core.  We connect real world identity (regardless of factor) with the communications channel at the protocol level.  Our innovations offer a safe, simple, and IoT-scaled authentication and secure channel solution that exceeds the latest NIST standards.

Locations
7 World Trade Center
250 Greenwich St
New York, NY 10007
466 Southern Blvd
Chatham Township, NJ 07928
3 Shalem St.
Ramat Gan, Israel
5221550
Teerth Technospace
S. No. 103
Mumbai Banglore Highway
Baner, Pune
Maharashtra 411045, India
Phone Numbers
US:
+1 212 520 2557
+1 844 33-RELID
+1 844 337-3543
Israel:
+972 (72) 2433000
+972 (72) 2733379 (f)
info@uniken.co.il
Hong Kong:
+852 6417 4790
Pune:
+91 20 6725 3900