“You can use this puppy for now, but it’s on its way out.”
That’s the thought process behind a recent edict from the National Institute of Standards and Technology suggesting that agencies move away from using SMS text messaging for two-factor authentication.
Last week, numerous tech outlets picked up on the fact that SMS was deprecated in the NIST’s special publication 800-63-3, the institute’s newest revision to its Digital Authentication Guide.
Paul Grassi, NIST’s senior standards and technology adviser, explained the rationale Friday in a blog post on the National Strategies for Trusted Identity in Cyberspace’s website. Grassi says the agency recommends moving away from SMS because it’s increasingly difficult to pin down if a text message is actually going to a mobile phone.
“It’s a beautiful thing about SMS interoperability that we can send a message to a ‘phone number’ without really caring if it’s an SMS, MMS, iMessage, or data message to some other internet service,” Grassi writes. “An SMS sent from a mobile phone might seamlessly switch to an internet message delivered to, say, a Skype or Google Voice phone number. Users shouldn’t have to know the difference when they hit send—that’s part of the internet’s magic. But it does matter for security.”
Additionally, if agencies are able to verify an SMS is being sent to a mobile phone, the ability to intercept those messages are easier and cheaper for those looking to find a way into government systems.
“While a password coupled with SMS has a much higher level of protection relative to passwords alone, it doesn’t have the strength of device authentication mechanisms inherent in the other authenticators allowable in NIST draft SP 800-63-3,” Grassi wrote. “It’s not just the vulnerability of someone stealing your phone, it’s about the SMS that’s sent to the user being read by a malicious actor without getting her or his grubby paws on your phone.”
NIST stopped short of removing the SMS guidelines entirely, due to the fact that the text messages may still work for existing government systems. However, NIST hopes the deprecation pushes agencies to re-assess their two-factor practices as they modernize their systems.
“It’s up to agencies to make the risk-based decisions that best serve their constituents today and future-proof systems for tomorrow,” the blog post reads.
SMS deprecation is only one of a number of password-related guidances the draft document makes. The guide also reworks the agency’s Level of Assurance model, establishes tighter rules for knowledge-based verification and issues directives around the weakness of passwords.
The document is still open for public comment on the agency’s GitHub page until Sept. 17.