back to article US standards lab says SMS is no good for authentication

America's National Institute for Standards and Technology has advised abandonment of SMS-based two-factor authentication. That's the gist of the latest draft of its Digital Authentication Guideline, here. Down in section, the document says out-of-band verification using SMS is deprecated and won't appear in future …

  1. Nick Kew

    They're behind the curve

    The BBC's investigative department has run a number of articles about criminals hijacking a phone number to get through a victim's SMS authentication. Fairly recently they persuaded one of the main banks (I forget which) to drop it after several verified cases.

    That's why we have better technologies, going back as far as PGP, and forward to Milagro for the next quantum leap.

    1. allthecoolshortnamesweretaken

      Re: They're behind the curve

      As quantum leaps are very small and random, I hope someone comes up with something clever that actually works.

      1. Anonymous Coward
        Anonymous Coward

        Re: They're behind the curve

        So, I use my credit card and have to get the details right. Then I get an SMS from my bank with a secret code. So the criminals would have to know my number to persuade my mobile provider to forward them the SMS or persuade my bank to send the SMS to a different number or hack the SMS-C...... or get access to my unlocked phone (or unlock it). I don't think my bank will be easily persuaded.

        If this is replaced by an "app" on my phone then I suspect it'll be easier for a criminal to get into the phone than to subvert the SMS process, given how secure phones are!

        I quite liked one bank I used where I had to go through their system to generate a one off set of card details for each transaction (phone or internet). They've stopped doing it now though.

  2. Tomato42

    For moment there, I completely forgot about the atrocious security of the US carriers

    (not that others are not bad in their own right, but some are more... "special" than others)

    1. NotBob

      It could be worse. We could have TalkTalk.

    2. a_yank_lurker

      Not just the carriers but users who insist on having a banking type app (or equivalent) on their not-so-secure and easy-to-lose smartphone.

      1. Charles 9

        Because users have a NEED (not a WANT, a NEED) to bank on the go, such as to quickly transfer funds because their bank card is low and it's close to closing time and so on. And given that many people are willing to go without their WALLET but not without their PHONES, and you've got a real issue here because they're going to use it will ne, nil ye. You better find a way to make those apps tight, then.

        As for two-factor, there's also the problem that, if you can't use the phone as a second factor, most people DON'T HAVE a second factor at all. Which means two-factor authentication is no longer possible.

      2. Charles 9

        "...and easy-to-lose smartphone."

        I don't know about that, given how often I see people actually using them. From where I look at things, more people lose their wallets than their phones, and those can lead to full-fat identity theft...

  3. Ole Juul

    Good riddance

    No cell coverage here so just get pissed off when asked for SMS authentication.

    1. Charles 9

      Re: Good riddance

      Well then, how DO you do two-factor authentication with no wireless data coverage to speak of?

      1. Anonymous Coward
        Anonymous Coward

        Re: Good riddance

        In order to bank at all you have to have some sort of network connection, so you can do the second factor over the network.

        Personally I'd like to see Apple introduce support in the secure element for RSA type token authentication, with third parties allowed to hook in with their own certificates and seeds. Yeah, some people will object and say it isn't "two factor" if you are using a bank app on your phone and using your phone as a secure ID token, but if someone has physical possession of your phone and the password to your bank and whatever PIN/password is required for a token then you have allowed yourself to be totally p0wned and should go back to banking with a teller in person.

        Obviously Android phones could add similar support, but since they lack consistent hardware it would be more hit or miss how secure the provision of a token would be.

        1. Charles 9

          Re: Good riddance

          "In order to bank at all you have to have some sort of network connection, so you can do the second factor over the network."

          The problem is if the NETWORK is compromised. Which is why the second factor MUST be out of band. Otherwise, it's all the eggs in one basket, so to speak.

          As for fobs and tokens and so on, wasn't RSA hacked and the algorithm leaked so that the keys could be cloned?

          "...and should go back to banking with a teller in person."

          And if your bank has NO tellers?

          1. Anonymous Coward
            Anonymous Coward

            Network compromise is irrelevant

            How does a compromised network affect you, if you are using properly encrypted data in a way that isn't susceptible to MITM attacks? You should ALWAYS assume your network is compromised! You have no way to prove that it is not, so I don't see why knowing that it is should change anything.

            1. Charles 9

              Re: Network compromise is irrelevant

              Because with a significantly-resourced enemy like a State, there is no such thing as "properly encrypted data". Insiders who can purloin data outside the envelope, state control of networks which can block, usurp, maybe even (with insider knowledge of the keys by hook or crook) perfectly impersonate one or the other party. Remember, we're pretty close to a DTA world as it is.

              1. Anonymous Coward
                Anonymous Coward

                Re: Network compromise is irrelevant

                For these "significantly-resourced" enemies and insiders you are talking about, two, three or eighteen factor authentication will not help.

                1. Anonymous Coward
                  Anonymous Coward

                  Re: Network compromise is irrelevant

                  In which case, what would you recommend?

                  1. Anonymous Coward
                    Anonymous Coward

                    Re: Network compromise is irrelevant

                    I would recommend not worrying about it. If your government wants access to your account information, they'll get it from your bank. If they want access to your money, they'll freeze your assets. There's nothing you can do about it. They aren't going to hack your account over the internet to get at it, so controls on your end don't matter.

                    As for insiders, you can't prevent them from taking your money for similar reasons because they can also bypass all those external controls, but you will (though maybe not right away) be able to get it back. Banks have very good internal controls and are able to detect rogue insiders, if not the minute they try something, eventually. For those who fail to detect them until it is too late and the insider has fled to somewhere without an extradition treaty, well that's why banks have insurance...

      2. goldcd

        Pretty easily

        with an offline keygen like the RSA one in various guises or even Google Authenticator.. question would be that if you don't have a connection, wtf would you be attempting to authenticate in the first place?

      3. Wim Ton

        Re: Good riddance

        I can still get a piece of paper mailed with one-time transaction codes.

        1. Charles 9

          Re: Good riddance

          They raid your mailbox and steal the codes, then...

  4. Alister

    I'll be glad if this happens, as it will remove one the perpetual annoyances I have nearly every day.

    We currently use SMS 2FA to allow people to log in to a secure site which we provide to a client.

    We are forever getting rung up with complaints that they haven't received their SMS to let them log in, and no amount of explaining how SMS works makes any difference, they expect us to somehow make it work instantaneously.

    SMS is a best effort service, exactly like email, and can be delayed for all sorts of reasons, and is therefore not a good fit for secure 2FA.

    1. kwhitefoot

      I assume you are in the UK where SMS is indeed very unreliable. Here in Norway it is rare for me to have to wait more than ten seconds for the text to arrive from my bank.

      The mobile phone system in the UK is astonishingly bad. I visited Selby in Yorkshire a few weeks ago and had a really hard time making calls in the villages nearby. And it wasn't just one network that was bad either, family members with UK subscriptions on different networks were just as poorly served.

  5. Anonymous Coward
    Anonymous Coward

    Most uses of 2FA via SMS...

    ... are just attempts to make you give 'em your phone number as a unique ID to attach to your profile, banks aside (which already have lots of personal info about you).

    I'm glad anyway my bank uses a token for authentication. It's less comfortable to remember to carry it when you need it, but I store it separately from the phone (less chances to lose both at the same time), my bank credentials are not stored in the phone (there are some critical credentials which are best stored in your brain memory only) thereby even the bank app is safe enough.

    1. Charles 9

      Re: Most uses of 2FA via SMS...

      "I'm glad anyway my bank uses a token for authentication. It's less comfortable to remember to carry it when you need it, but I store it separately from the phone (less chances to lose both at the same time), my bank credentials are not stored in the phone (there are some critical credentials which are best stored in your brain memory only) thereby even the bank app is safe enough."

      So what if you have a bad brain, a poor memory, and a tendency to lose things (including your wallet, IN the supermarket)?

      1. Jan 0 Silver badge

        Re: Most uses of 2FA via SMS...

        > "So what if you have a bad brain, a poor memory, and a tendency to lose things (including your wallet, IN the supermarket)?"

        In that case, you can't keep a job and your ESA isn't of much interest to fraudsters?

        1. Charles 9

          Re: Most uses of 2FA via SMS...

          Some people can get by on muscle memory, but brain memory (such as for passwords and PINs on devices that keep changing) is beyond them. They usually have to go to a teller (if one's available) and use signatures.

  6. Mike Shepherd

    "SMS is no good for authentication"

    ...just as HMRC starts to use it for self-assessment returns etc.

  7. Rimpel

    Lost phone

    SMS is an advantage over an authenticator app if you lose your phone. Getting a replacement phone and sim set up is pretty quick and straightforward, however contacting the customer services for each authenticated service to regain access is a pita.

    I went through this recently when my phone broke and I no longer had access to the authenticator app, I've switched to SMS now where possible.

    1. Preston Munchensonton

      Re: Lost phone

      @Rimpel, there's no doubt that the scenario you describe is the reason that so many are thrilled to use SMS for 2FA. Simplicity of use is the tradeoff for the lack of genuine security that it provides.

      As security conscious as I may be, it's really up to individuals to evaluate that risk for themselves. If this is what consumers want, then banks and others will offer it until an alternative comes along that isn't such a PITA.

      1. Anonymous Coward
        Anonymous Coward

        Re: Lost phone

        Which UK banks do SMS authentication? Some of them still use 2nd "secret" password, where you have to type a few letters from that password every time => bullshit security.

  8. Anonymous Coward
    Anonymous Coward

    Do US mobile numbers still look like landline numbers?

    In which case how's an honest soul supposed to tell whether it's a mobile or not?

    Not that the land of GSM and beyond is much better off; a number can look like a mobile number and end up somewhere entirely different, courtesy of simple stuff like call forwarding and doubtless a variety of other mechanisms.

    1. hayzoos

      Re: Do US mobile numbers still look like landline numbers?

      US numbers can be ported between carriers. My landline number was ported from Verizon landline to Comcast VOIP and is now on my AT&T mobile plan with their cell to POTS device. I see charges on my bill for texts but the device has no SMS capability, good thing they are zero charges on unlimited text plan.

  9. energystar

    Fragmentary Technology...

    All of the session should be guaranteed. Not Just the up-front credential exchange.

    1. energystar

      Re: Fragmentary Technology...

      A good Starting point for NIST is enforcing two independent [preferably differing path] channels, one way comm. Security integration only at links ends.

      1. Charles 9

        Re: Fragmentary Technology...

        And if the bad guys get you OUTSIDE the envelope?

  10. Paul 129


    I read this article and got the impression that their advocating an app, over a potentially out of band communication.

    The only way that I could think that this would be safe is if the app is on a standalone device.

    for example it uses wifi comms to transmit the data to the authenticating device, including amount, who the transaction is to etc, which is then displayed on the authenticator for approval, before being wrapped up and signed by the authenticator.

    i.e. another device with all the foibles of a mobile phone, but is only allowed to run the one app.

    I can't see that being popular.

  11. No such thing as an Anonymous Coward

    Which UK banks do SMS authentication...

    Santander for transaction authentication

  12. MK_E

    When I briefly worked for RBS, every transaction I performed with online banking would generate me a code, for which I'd have to insert my card into a reader, enter my PIN and the code, and the reader would spit me back an auth code.

    Bit of a pain in the arse if I want to use online banking and I've not brought my widget with me though.

  13. Jin

    More important is prohibiting biometrics for 2F schemes.

    Biometrics should not be activated where you need to be security-conscious.

    It is known that the authentication by biometrics usually comes with poorer security than PIN/password-only authentication. The following video explains how biomerics makes a backdoor to password-protected information.

    1. Charles 9

      Re: More important is prohibiting biometrics for 2F schemes.

      But what about those people who have poor memories for passwords and PINs?

  14. Anonymous Coward
    Anonymous Coward

    Hardware Security Module device can solve this

    The problem is that: from the way the phone networks are design, up to the device of the client, everything is vulnerable in so many ways!

    Just having access to some Telecom Carrier in some country (like say, pay some one to install a backdoor) gives access to most Telecom Carriers around the world... and with that and the phone number you can get the code in your terminal from even people in the other side of the world without even getting close to their phones at all... so this system is flawed!

    What then? What can banks, and everyone else do?

    For normal authentication maybe people just need SQRL (Secure Quick Reliable Login), and for authentication of requests/ operations some digital signature. .. if SQRL can't perform that to.

    The best is that this can be done in some Hardware Security Module (HSM) device... like say: the size of a credit card calculator, to fit a wallet or the pocket, but with privacy display, integrated keyboard, camera to recognize QR codes and just the ability to connect to reader devices physically (like say: ATM machines; Point of sales; readers for internet web sites;...). Of course people can have their own readers or readers can be integrated into new smartphone/ tablets/ laptops so that this would work almost seamless.

    The device it self should display the action, where the user is trying to login/ authenticate something, what exactly is being requested from him/ her, give the choice tho choose from multiple private keys (so that every bank/ service can have their own key associated, if SQRL can't be used) and that is it.

    To protect the device the sky is the limit, finger scanner plus some password (displayed randomly) would be a good solution (something you have plus something you know... something you have may be demanded/ removed from you (like say: by criminals), but something you know depends on your own will.

    Of course exporting the private keys should be either impossible (the most secure option) or just using the device it self to create encrypted backups (no external way to request that)... isn't so secure but allows recovery if you loose/ destroy or someone steals the device.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like