Postpone OOB SMS deprecation #78
Comments
|
This week, there were two high-profile hijackings of cell phone accounts reported:
Not everyone lives in a location with cell phone service. Although these areas are getting to be fewer and smaller, any service providing authentication at scale needs to provide an alternative to SMS OOB already. This is in addition to warnings issued in many other countries over the years. Australian telecom providers declared SMS unsafe for bank transaction authentication in 2012. Also in 2012, the Eurograbber trojan was said to be responsible for tens of millions in losses by hijacking SMS authentication codes. Deprecation of SMS in SP 800-63B means that it will probably be a few years before SMS is declared unsuitable for two-factor authentication in government applications, but that advance warning is being provided now. But in view of these significant failures, one might ask whether that is soon enough. |
|
Please also see detail in Issue #19 |
|
Although this issue keeps getting closed, it's evidently no closed (Issue #19 & Issuse # 71) it still seems a very hot topic. I think the topic should be kept open while more views/comments are submitted. Jim cites security events around SMS. There are security events for all of these authenticators, and that doesn't mean they get deprecated; it just means the authenticators more susceptible to compromise should get a lower assurance level. How many password compromises occurred in the same week? You're not suggesting deprecation of passwords - you're just giving passwords a lower assurance level. So, just gig OOB SMS a lower assurance level. |
Organization: Taproot Security
Type: 3
Reference: “OOB using SMS is deprecated, and will no longer be allowed in future releases of this guidance.” [SP 800-63-3B 5.1.3.2]
Comment:
SMS-based OOB deprecation should be delayed until a later release of SP 800-63. A rationale for deprecation should also be included.
Special publication 800-63 is highly influential in the private sector. For instance, the US financial services authentication standard X9.117 is largely based on its framework. Therefore impact of changes beyond federal agencies deserve consideration.
Hundreds of web sites offer 2-step verification via text messages, including Google, Microsoft, Apple, Yahoo, and Dropbox. By saying OOB using SMS is deprecated, NIST tells service providers they should start phasing it out now, and no new usage should be deployed. NIST does not state their reasons for this decision in the draft (hopefully they will in the final published version) but it’s not hard to guess. SMS is widely acknowledged to be an insecure protocol, lacking any meaningful encryption or authentication. VOIP-based virtual phone services may further erode SMS security. These weaknesses make SMS a poor authentication channel.
The problem is timing. After waves of web site breaches, many web site operators did the right thing and embraced 2-factor authentication. This typically means a 2-step verification scheme including text message codes. Although other delivery schemes exist (e.g., smartphone app) SMS remains the simplest and most usable. Flawed though it is, adding SMS OOB to a web logon significantly raises the bar against attackers. For now, the benefits outweigh the risks.
Sites should be encouraged to offer a variety of 2-step verification options to users, including text messaging. A few years from now, when 2-factor authentication is the norm not the exception, and good OOB alternatives to SMS are widely available (including to users without smartphones), that is when NIST should move to deprecate.
Suggested Change:
Withdraw the sentence, and postpone SMS OOB deprecation until a later release of SP 800-63. Or if that suggestion is not acceptable, include a rationale for deprecation (similar to Appendix A rationale for short passwords).
The text was updated successfully, but these errors were encountered: