It’s hard to know how to protect your personal security online with data breaches happening at businesses and institutions all the time. But one thing you may have heard, including on Slate, is that enabling “two-factor authentication” (also called “multi-factor authentication” or “two-step verification”) is a relatively easy way to secure your digital accounts. This is absolutely true, but unfortunately nothing in security is ever quite as easy as people would want it to be.
On Monday, the National Institute of Standards and Technology released a draft of its new proposed Digital Authentication Guideline 800-63B. The document includes a lot of updates and changes, but one important one is a shift away from recommending SMS text messages as one of the “factors” in two-factor authentication. The most mainstream form of the security precaution up until now has been signing into a service with your username and password and then entering a onetime code received through SMS to complete the login process. The idea is that even if someone trying to access your account know your username and password, it’s unlikely that they will also have access to your phone to see the code that’s texted to you.
Security researchers have become increasingly concerned about this system, though, as hackers find more and more ways to remotely access SMS texts. Additionally, as VoIP communication services (Google Voice, Skype etc.) have proliferated, it has become harder to assess whether an SMS message is truly being sent over the cell network or whether it is being funneled through other transmission protocols with varying levels of security. The draft guidelines say, “Due to the risk that SMS messages may be intercepted or redirected, implementers of new systems SHOULD carefully consider alternative authenticators.”
NIST’s guidelines, which are directed at federal agencies, aren’t flat out banning SMS as an authentication factor right now. But the draft does warn that things will eventually move in that direction and that SMS “may no longer be allowed in future releases of this guidance.” The idea right now is to discourage agencies from making new investments in two-factor infrastructure that involve SMS and to invest instead in other authentication options like biometrics, secure mobile apps that generate one-time codes, cryptographic chips, or dongles that generate single-use codes. The guidelines are basically encouraging futureproofing, and are acting as a warning to existing SMS-based systems that things will eventually need to change.
“What we’re seeing now is that the investment required by a malicious actor [to hack SMS] is going down, it’s getting easier to do,” said Michael Garcia, the deputy director of authentication research program NSTIC at NIST. “The scalability of that is sufficiently high that it’s really becoming a problem. It’s certainly better than just a password to use SMS and password, but it’s insufficiently secure for a lot of applications.”
Going forward, NIST wants to encourage investment in security technology that makes it easier to switch between authentication factors, so if the efficacy of one approach is degraded by bad actors, a different one that still offers robust protection can take its place. For groups that already have SMS two-factor in place, “We’re not saying federal agencies drop SMS, don’t use it anymore,” Garcia notes. “But we are saying, if you’re making new investments you should consider that in your decision-making.”
With this generation of proposed guidelines, NIST is trying a new system for offering public previews of its drafts, so it can get additional comments and suggestions before a draft enters the standard open comment period, which will start for these proposals at the end of the summer. Garcia estimates that the guidelines will be revised and approved by the end of the year, depending on how much feedback NIST gets during the preview and open comment periods. And these recommendations don’t directly apply to the services you use from nongovernment companies like Facebook or Google. But eventually you should see these best practices trickling down to the products you use every day.