The NIST and SMS-Based Two-Factor Authentication
Many enterprises are using or developing two-factor authentication (2FA) solutions to secure systems for their end users and their own employees. 2FA usually combines a username and password with another out-of-band (OOB) token, such as an SMS or text message, or voice call. OpenMarket, a leading mobile messaging provider, helps enable 2FA through its Global SMS API, which allows enterprises to send text messages worldwide.
Recently, the National Institute of Standards and Technologies (NIST) released a special publication that contemplates the use of SMS for 2FA. Since OpenMarket’s own Information Security program is based on the NIST framework, I wanted to further understand the nuances of this publication and what this means for businesses using SMS-based 2FA.
At first glance, this new special publication raised some questions about 2FA, and there have been quite a few ‘hot take’ articles and blogs lately which didn’t quite ring true to me – so I turned to one of OpenMarket’s resident experts in this field, Louis Couwenberg. Louis works in the Information Security group at OpenMarket, and has over 15 years of experience in the information security, risk and assurance space working at companies like Microsoft and Disney. At OpenMarket, he works closely with the product, development and operations teams to deliver world-class mobile messaging solutions.
Here is the Q&A from my recent discussion with Louis:
Q: Why is two-factor authentication important, and why should businesses use SMS for this?
A: The vast majority of data breaches are the result of weak or hacked passwords. In fact, somewhere north of 90% of data breaches could have been avoidable with something as simple as SMS-based 2FA. A one-time password sent via SMS is only one of two factors. The username/password is the other and getting both is challenging by design. The strength of 2FA is that you must have both for access. The strength of SMS is that it works on all mobile phones and is simple to use, therefore, it actually gets used.
The NIST has offered several recommendations about how to best employ 2FA. This includes: 1) the authentication secret shall be considered invalid if not received within 5 minutes, 2) a token has a limited lifespan, and 3) multiple failed authentication attempts may lock-out the account and notify the account owner.
Q: OpenMarket’s own internal security program incorporates aspects of the NIST guidelines and framework. How do we live in a world where we aspire to NIST guidelines, but still use 2FA with SMS? Doesn’t the NIST Special Publication recommend that SMS not be used?
A: First, the context in which 2FA is employed is very important. The concept of a risk context contemplates how and when systems are secured, and how much risk is acceptable for the safeguarding of the data. In fact, the ISO 27001 standard talks about the need of first defining the organizations risk context and then choosing the applicable controls. The emphasis on choosing applicable controls versus every control must be implemented. For example, restricting employment of only US citizens may be an appropriate control for some Federal Agencies, but probably not for a majority of businesses. So keeping the context in mind, it makes sense that the NIST, which is a Federal Agency, will have much stricter tolerances to comply with.
This is a procedural decision made by a Federal Agency. NIST actually provides guidelines for the use of SMS (see Special Publication 800-63B 220.127.116.11), however, it just prefers that Federal Agencies don’t.
Q: Given all of the NIST guidance, why would a business still choose to use SMS for 2FA over another channel?
A: Simply put – cost and benefit. For example, most people have their own mobile phone and can receive SMS. The SIM card that’s already in the phone provides the physical factor which can save businesses money versus if they need to use RSA tokens.
Also, ease of use and low maintenance are huge factors for using SMS. For example, it is impractical that a bank sends their customers an RSA token, which is expensive and can get lost due to infrequent use. Even if a bank employees use a soft token, the bank would need to install an application on employee machines and terminals, and this would require maintenance and updates by the IT department. With SMS, you don’t have these problems – you rely on something your end users already have and know how to use – their mobile phone. The bottom line is that SMS-based 2FA is the most cost-effective method for most businesses and it provides better security than just username and password alone.
Q: Do you think this is the beginning of the end for SMS-based 2FA?
A: I don’t think so. Implementing some form of 2FA is an incremental improvement in security over just a user name and password. SMS is a convenient and reliable delivery mechanism similar to the US postal service delivering your credit card PIN. It’s possible to intercept the token, but that’s only one factor. In the case of SMS-delivered tokens, they are only valid for a short period of time.
Q: What are some specific recommendations enterprises can take away for their own SMS-based 2FA programs?
A: If you’re only using a username and password, then adding 2FA with SMS is still better. OpenMarket can identify real networks from VOIP and VOIP-generated numbers and NIST’s guidance is to use only numbers associated with real networks.
Q: What about using mobile app authenticators?
A: Mobile app authenticators are a good option for smartphone users, but they do add a layer of complexity because users have to find, download and learn these apps. There are still large segments of the population both US and globally that don’t have a smartphone. A strength of SMS-based 2FA is that it natively works on every phone – it’s truly ubiquitous. Security that is simple to use gets used and that makes us all safer.
In summary, using SMS-based 2FA is just one control out of many that should exist to mitigate the risk of unauthorized access to systems. This includes strong password policies, periodic changing of passwords and secrets, and more.
The key takeaways for me are that 1) enterprises need to secure their systems for both internal and external users, 2) the NIST has several recommendations on how to employ 2FA, and 3) that SMS-based 2FA is a viable option for most businesses and user scenarios due to its cost effectiveness and ease of implementation.
If you have more thoughts to share on this topic, please contact me at firstname.lastname@example.org.
The NIST special publication