SMS Deprecation

[deantonio]

Organization: 1

Type:

Reference (Include section and paragraph number): 800-63-3B Section 5.1.3

Comment (Include rationale for comment): Deprecating SMS will prove challenging for organization implementations. SMS is already a hard sell to some customers so a code (OTP) via voice call had to be implemented. Other Out-of-Bands (OOBs) assume user has a smart phone and app installed, based on past experience assuming a customer has a phone capable of SMS (and is willing to use messages to login) is not a safe assumption. Said differently, this version of 800-63 is pushing 2FA while already planning to remove one of the primary means 2FA is done today.

Suggested Change: Reconsider stance on SMS deprecation for OOB.

---

Organization: 1 = Federal, 2 = Industry, 3 = Other

[mleibner]

Organization: 1

Type:

Reference (Include section and paragraph number): 800-63-3B Section 5.1.3.2 & 800-63-3B Section 6.2

Comment (Include rationale for comment):
Adding this as a comment on the issue opened by @deantonio so I don't create a duplicate issue.

What is the justification for SMS deprecation? SMS is likely the most popular form of 2FA available to consumers at this time & has a relatively low barrier to adoption compared to app-based OTPs. Because of strong adoption of SMS OTPs in online banking, awareness is higher among consumers than other types of OTP solutions. The protections mentioned in this section, such as ensuring that a number is on a mobile network & is not VoIP, address the primary security concerns surrounding SMS as an OOB option.

Deprecation of SMS as an OOB method also impacts 800-63-3B Section 6.2 (Loss, Theft, and Unauthorized Duplication), as SMS is commonly used as a backup authenticator when software-based OTP tokens are lost or unavailable.

Lastly, the sentence "OOB using SMS is deprecated, and will no longer be allowed in future releases of this guidance" from 5.1.3.2 is unclear. This is deprecation note is written after describing how SMS can be used, which adds confusion as to whether or not SMS use is actually acceptable at this point in time. Without a firm a deadline for disallowing SMS - just a mention of SMS being removed in "future releases" - agencies will be hesitant to implement SMS without understanding the useful life of an OOB SMS solution.

Suggested Change: Explain reasons for OOB SMS deprecation, and reconsider stance.

---

Organization: 1 = Federal, 2 = Industry, 3 = Other

[paul-grassi]

Deprecated means that in the future it may not be allowed, but when -3 becomes final, agencies will still be able to use SMS based on their risk profile.

However, SMS is wrought with vulnerabilities that has led us to this conclusion. To name a few:

Radhesh Krishnan Konoth, Victor van der Veen and Herbert Bos. How Anywhere Computing Just Killed Your Phone-Based Two-Factor Authentication. Twentieth International Conference on Financial Cryptography and Data Security, February 2016.

Collin Mulliner, Ravishankar Borgaonkar, Patrick Stewin, and Jean-Pierre Seifert. SMS-Based One-Time Passwords: Attacks and Defense DIMVA 2013, 19 July 2013. (also slides)

"Warning: Why Most Two-factor Authentication Solutions are Unsafe"
https://www.linkedin.com/pulse/why-most-two-factor-authentication-solutions-unsafe-falk-goossens

"Aspect Warns Banks of SMS OTP Vulnerability" http://mobilemarketingmagazine.com/97087-2/

"'Eurograbber' SMS attack shows Android's vulnerability" http://www.techworld.com/blog/war-on-error/eurograbber-sms-attack-shows-androids-vulnerability-3537952/

"Telcos declare SMS 'unsafe' for bank transactions"
http://www.itnews.com.au/news/telcos-declare-sms-unsafe-for-bank-transactions-322194

https://twitter.com/kingladar/status/723224164199358465

SpyEye Changes Phone Numbers to Hijack Out-of-Band SMS Security
https://securityintelligence.com/spyeye-changes-phone-numbers-to-hijack-out-of-band-sms-security/

https://www.ftc.gov/news-events/blogs/techftc/2016/06/your-mobile-phone-account-could-be-hijacked-identity-thief

http://www.cellusys.com/2015/10/20/8-ss7-vulnerabilities-you-need-to-know-about/

https://www.wired.com/2016/08/hack-brief-hackers-breach-ultra-secure-messaging-app-telegram-iran/

[mleibner]

The "How Anywhere Computing Just Killed Your Phone-Based Two-Factor Authentication" issue makes sense (if a user forwards texts to a web-accessible device, the SMS is no longer bound hardware), but many of the other issues like malware are highly targeted & don't only apply to SMS - they may target software-based OTPs as well.

While not explicitly addressed in 800-63-3B Section 5.1.3.2, would you argue that voice OOB to a landline/mobile may be an acceptable alternative (where the user receives a phone call with the OTP)? It's not incredibly common, but some financial institutions currently offer this alternative to SMS.

[mschleiff]

I'm a bit GitHub challenged, so maybe an answer is here and I just cannot find it.
Did mleibner's question about voice OOB (or text-to-speech delivered via phone) ever get answered? Is the intent also to deprecate that?
Carrying the discussion further, if in the future OTP hardtokens become wrought with vulnerabilities, will OTP hardtokens also be deprecated? I hope not. I hope instead that the AAL for hardtokens would be adjusted downward commensurate with the vulnerabilities.