NIST statement on SMS-based two-factor authentication: What does it mean for CISOs?

The National Institute of Standards and Technology (NIST) recently stated that using SMS messages as an out-of-band verifier or the second factor in two-factor authentication (2FA) is deprecated. That statement by a respected organization has many people wondering about SMS two-factor authentication security. A draft of NIST’s Digital Authentication Guideline states, “Due to the risk that SMS messages may be intercepted or redirected, implementers of new systems SHOULD carefully consider alternative authenticators.” NIST provides guidance to government agencies, and many CISOs and security professionals also follow that guidance. But NIST’s statement does not mean there is no place for SMS as part of a 2FA system. CISOs just need to think about where and how they’re implementing it.   With NIST’s recent statement, many CISOs and security professionals are thinking about their 2FA programs and whether they need to make changes. If you are protecting enterprise assets and have systems that can or do support it, I wholeheartedly recommend that you follow NIST’s guidance and move beyond SMS for 2FA. One option is instituting time-based one-time password (TOTP) technology such as Google Authenticator. But until some of the friction involved in adopting TOTP technology is addressed for general consumers, in my opinion SMS still has a place as an authenticator for 2FA in many consumer apps.

SMS two-factor authentication security

Forty-four percent of executives fear that mobile security controls will make employees less productive according to recent research from BlackBerry. Any CISO understands the balancing of security with ease-of-use. A security control that makes it harder for an employee to do their job is not likely to be adopted. A security control that complicates an app’s log-in process might discourage consumers from using the app. When I think about the tech savviness of the general consumer, I think about my parents and how they interact with technology. At this time, my dad uses 2FA including SMS for his banking app. It’s easy enough for him to log-in to his account, receive a code via SMS, and enter that code to receive access. I’m skeptical that my dad could as easily use a TOTP app for 2FA. He needs to install a TOTP app, open it up, populate it with the correct data, and visit a website to take a picture of a QR code in order to sync the app with an encrypted secret. I can guarantee that were he to lose his phone, he would need a lot of help recovering his accounts and redeploying the TOTP app on his new device. Many CISOs influence decisions about how they implement 2FA for consumers. The question becomes whether to offer 2FA that is token-based or SMS-based. I’d argue that with the current state of software-token-based 2FA, a significant amount of the general population will not have a good experience with it. A bad user experience will lead consumers to opt-out of 2FA (if opting out is an option) or opt-out of using the app altogether.

When might SMS still be appropriate for 2FA?

2FA introduces a significant hurdle for attackers. Yes, attackers can find ways around it, but it’s a hurdle nonetheless. If you’re using TOTP technology for 2FA, the hurdle is huge. Especially if you’re on distinct devices because then the attacker must also compromise a second device. Yes, the hurdle created by SMS-based 2FA is smaller. But at this time it’s still not a trivial hurdle. It requires an attacker’s time and effort to overcome. Let’s say an attacker buys a consumer’s account credentials from an underground market. The attacker visits the associated login page and enters the username and password. The login page alerts the attacker that an SMS message has been sent to the phone number registered to the account and prompts the attacker to enter the provided access code. In most cases, that’s enough to send the attacker on their way to other lower-hanging fruit. An attacker can exploit this scenario, but it requires a whole lot of effort, some luck, and a number of variables lining up in their favor. In the case of the general consumer, it’s not worth an attacker’s time. The CEO of a company in a targeted sector like banking on the other hand, that’s worth an attacker’s time and effort. The savvy criminal is doing their homework, determining what phone the target uses, where the target travels, etc. They’re not just stumbling upon the CEO’s password on an underground market and trying to log in to their prescription refill website. The attacker has plotted the attack and is probably going to try to compromise that CEO’s mobile device as well. A high profile individual from an organization that is likely to be targeted should, as recommended by NIST, be using something other than SMS as an authenticator for 2FA. I think it’s reasonable to say that 90-95 percent of people are not targeted individuals, and so I argue that based on expense, complexity, and support costs, SMS-based authentication works just fine for now in consumer scenarios.

A good plan today vs. a great plan tomorrow

I think that CISOs should follow NISTs guidance to consider using authenticators other than SMS when protecting enterprise assets. Most employees in the modern enterprise have a lot of experience with technology and adopting a TOTP app for 2FA is not unreasonable for that population. I don’t think that a lot of consumers in general though are ready yet for TOTP apps and authentication. And at this time SMS-based 2FA still provides a tangible layer of protection against broad-scale cyber attacks. Risk, in terms of data security, is a function of the likelihood of an exploit or breach and the cost of the damages incurred as a result. CISOs need to manage risk and reduce it where possible, but they can’t implement security controls that will decrease use of revenue-generating consumer apps.

Delphia Schmidt