Two-Factor Authentication and SMS Messages: Don’t Let The Perfect Be The Enemy Of The Good
Last week, a lot of tech media sites were breathlessly reporting how the National Institute of Science and Technology (NIST) in the United States was saying that two-factor authentication (2FA) via SMS messages would be “deprecated” in future standards. Some took this to mean that this technique was insecure, and that users should shy away from this method.
Let’s step back and see what the NIST really said:
If the out of band verification is to be made using a SMS message on a public mobile telephone network, the verifier SHALL verify that the pre-registered telephone number being used is actually associated with a mobile network and not with a VoIP (or other software-based) service. It then sends the SMS message to the pre-registered telephone number. Changing the pre-registered telephone number SHALL NOT be possible without two-factor authentication at the time of the change. OOB using SMS is deprecated, and will no longer be allowed in future releases of this guidance.
The NIST here is talking about a specific concern: how text messages can be intercepted and not sent to a cellular phone if the number is tied to a VoIP (or similar) service. Of course, that’s not the only security worry with SMS messages: they can be stolen by Android malware. Social engineering can also target either the cellular provider (to deactivate the original SIM, and provide a new one to attackers) or the websites (to deactivate 2FA).
That said, however… some 2FA authentication is better than no 2FA at all. We still see a lot of systems in vital industries–ICS and health care, for example–where 2FA ought to be used, but isn’t. In these cases, some form of 2FA is still an improvement.
In the security industry there is a tendency to let the perfect be the enemy of the good. This is a good example. 2FA via text messages, for all its flaws, is still an improvement over an ordinary username-and-password system. In addition, the barriers to entry–cost, ease of use, and hardware requirements–are lower than with more secure 2FA systems.
What do we advise users to do? For end users, if any site you use–your bank, your social media site, any website you use–if it offers 2FA, use it. Urge sites you use that don’t have it to adopt it.
For system administrators considering whether to adopt 2FA for their own systems, our advice is: don’t rule out SMS as a method just because of news reports that say it’s “insecure”. For systems that need the maximum protection, maybe it’s not appropriate. However, for systems where ease of use, cost, and user acceptance matter–it’s still a viable solution.
Of course, more secure systems like hardware tokens or app authenticators should be used as well, but don’t automatically rule out text messages. After all, consider the alternative: user names and passwords. As we’ve learned in the past few weeks, those have far more severe problems.
With additional insights from Martin Roesler and Robert McArdle