Biometrics are gaining ground as an acceptable authentication method, but some conditions must be met

Jul 25, 2016 22:20 GMT  ·  By

The US National Institute of Standards and Technology (NIST) has released the latest draft version of the Digital Authentication Guideline that contains language hinting at a future ban on SMS-based Two-Factor Authentication (2FA).

The Digital Authentication Guideline (DAG) is a set of rules used by software makers to build secure services, and by governments and private agencies to assess the security of their services and software.

NIST experts are constantly updating the guideline, in an effort to keep pace with the rapid change in the IT sector.

SMS-based 2FA still acceptable, but not for long

According to the latest DAG draft version, NIST officials are discouraging companies from using SMS-based authentication, even saying that SMS-based 2FA might be considered insecure in future versions of the guideline. The exact paragraph in the NIST DAG draft is:

  If the out of band verification is to be made using a SMS message on a public mobile telephone network, the verifier SHALL verify that the pre-registered telephone number being used is actually associated with a mobile network and not with a VoIP (or other software-based) service. It then sends the SMS message to the pre-registered telephone number. Changing the pre-registered telephone number SHALL NOT be possible without two-factor authentication at the time of the change. OOB using SMS is deprecated, and will no longer be allowed in future releases of this guidance.  

The NIST DAG argues that SMS-based two-factor authentication is an insecure process because the user may not always be in possession of the phone.

While the guideline recommends that apps use tokens and software cryptographic authenticators, these may also take the form of phone apps or devices that can be stolen or "temporarily borrowed" as well, just like handsets.

The NIST guideline recognizes this risk as acceptable, but unlike tokens and cryptographic authenticators, SMS has another weak spot that has eroded its trustability factor, which is VoIP services.

SMS considered insecure, especially on VoIP connections

Because some VoIP services allow the hijacking of SMS messages, NIST officials encourage software vendors that make SMS-based 2FA systems to specifically check for the usage of a VoIP connection before sending the 2FA code.

SMS as a protocol is widely considered insecure. Only last week, researchers at Context Information Security revealed another attack that relied on weaknesses in the SMS protocol to compromise devices and their users. As more and more of this type of research will gather up, NIST, software vendors, companies, and users will move away to a more secure method of authentication.

The current NIST guidelines are still under discussion, but it is almost sure that future versions of the Digital Authentication Guideline will not longer recommend SMS-based authentication as a secure method for out-of-band verification.

Biometrics are gaining traction

NIST's DAG draft also acknowledges the proliferation of biometrics as an authentication method, which it considers acceptable under one condition:

  Therefore, the use of biometrics for authentication is supported, with the following requirements and guidelines: Biometrics SHALL be used with another authentication factor (something you know or something you have).  

UPDATE: A reader hsa pointed out that the new version of the NIST document now reads "OOB using SMS is deprecated, and may no longer be allowed in future releases of this guidance," instead of the original "OOB using SMS is deprecated, and will no longer be allowed in future releases of this guidance," as it did at the time of writing.