Back at the end of July, quite a bit of media buzz was generated by reports that the NIST was recommending, in the draft of their new publication addressing digital authentication methods, that using SMS text messages as a second authentication factor was being “deprecated.” So…what exactly does that mean, and why shouldn’t it be used?
First of all, if you want to actually read what the draft says, you can find it in section 18.104.22.168 here: https://pages.nist.gov/800-63-3/sp800-63b.html#out-of-band. If you don’t want to plow through the actual verbiage of the draft standard, you can read Paul Grassi’s explanation on the NIST blog site instead. But the main takeaway is that “deprecated” does not equal “don’t ever use this under any circumstances.” A two-factor authentication approach using SMS is still way more secure than most single-factor authentication methods. It’s just not the best approach. Here’s why…
Some VoIP services (e.g., Skype or Google Voice) can deliver text messages without the need for possession of a physical device. In such a scenario, the classical definition of multi-factor – something you know (typically a password) + something you have (typically some kind of authentication token or smartcard) or something you are (some kind of biometric authenticator) – becomes just two different things you know (your primary password and the password you use to access the VoIP service). So right away you’re stretching the definition of multi-factor.
The next concern is that it is easier to intercept these kinds of communications than it is to track you down and physically steal your smartphone. So the draft standard states that if you’re going to use text messages, you must verify that the phone number you’re sending to actually corresponds to a physical telephone and not a VoIP line or other software-based device.
Some smartphones display a portion of an incoming SMS message without requiring you to unlock the phone. I personally have SMS authentication enabled on my Google account. But the SMS message is short enough that if I’m watching my phone when it comes in, I can pick up the passcode from the message preview without the need to unlock my phone, provided I act quickly enough, before the preview disappears. So if you did steal my phone, you wouldn’t have to bother cracking my unlock password. Still better than single-factor, but you see the problem.
As mobile devices proliferate, and more and more of us use them to access sensitive information like our bank accounts, more and more malware is being written that targets mobile devices. Given that trend, it’s questionable whether it’s a good idea to send a one-time authentication code to the same device that you’re using to access the site that’s sending you the one-time authentication code…because if your device has been compromised, then whoever compromised it may well be able to access your messaging app as well.
Again, all of that said, an SMS authentication approach is still better than single-factor, password-only authentication. Even better would be an authentication app on your smartphone that cannot be accessed without unlocking the smartphone and that uses an encrypted channel to communicate with the authentication service…such as ESET’s Secure Authentication app.