SMA for 2-Factor Authentication: Secure Enough?

From IIW

SMS for 2-Factor Authentication

Wednesday 1A

Convener: Sean Brooks and Jim Fenton

Notes-taker(s): Tom Brown

Tags for the session - technology discussed/ideas considered:

Discussion notes, key understandings, outstanding questions, observations, and, if

appropriate to this discussion: action items, next steps:

NIST - part of Dept of Commerce

Broad adoption outside of government (nonprofits, academic institutions)

So, important to get public feedback

NIST SP 800-63- 3 3/sp800-63- 3.html

In new version, deprecating SMS for out of band authentication mechanism

Deprecation - when we released public draft, lots of articles about "NIST banning use of SMS for


Not saying that fed agencies can't use - just trying to signal to market that we don't see SMS as a

reliable option for 2nd factor

Not forbidden from using it

In the technical standards space, it is always a surprise when the media picks up anything at all

NSTIC wrote a clarifying blog post

The idea was to give the marketplace a heads up

SMS is cost effective for many orgs

SMPP (peer-peer) widely used not particularly secure

SS7 - designed w/o particular security, used among carriers, not accessible to as many potential

attackers as internet

social engineering attack on carrier:

"I lost my phone & need to buy another one"

sales person motivated to sell phone but not particularly skilled at verifying identity

FTC: in 2013, 1083 reports of this attack representing 3.2% of identity fraud attack

reported attacks doubled since then. (actual number of incidents unknown)

high profile victims of this attack:

  1. Deray McKesson via Twitter
  2. Ladar Levison

phishing ("verifier impersonation attacks") is not at the same assurance level.

Document recommends that relying parties check to make sure it is a mobile phone rather than

voice-over- ip

we are not singling out sms. document also nixes knowledge based authentication (kba) (e.g. what

is the name of your dog?)

we cannot necessarily point private entities to any specific technologies but do mention five or so

other mechanisms

Ubiquity and familiarity make SMS attractive. just because someone has a smartphone doesn't

mean they understand it.

SMS is not 100% accessible, especially in rural areas

deprecating something isn't meaningful unless there is an alternative

deprecation in the document means: if you can find a better way, you should consider doing it.

if iphone is on, phone will forward message to the icloud

eurograbber malware snagged sms message on phone and sent it off to attacker who could front-

run authentication

phone is intended to be "something you have". we've been using sms to prove you have the phone

alternatives: 1 time password device, crypto token

signal messaging service will detect if you move account to different device by checking device's


some carriers have apis to determine how long a telephone number has been associated with a

specific device.

providers can integrate with carrier apis to verify IMS (sim card) and IME (handset)

PIP standard for fed employees instead of sms

duo, fido tokens, google authenticator

webauthn in w3c to integrate fido in browser experience

federal gov & innovative technologies don't always mix as things take a while