Standards body warned SMS 2FA is insecure and nobody listened
Duo Security says NIST's advice to deprecate out-of-band passwords has been ignored
The US National Institute of Standards and Technology's (NIST) advice that SMS is a poor way to deliver two factor authentication is having little impact, according to Duo Security.
Last July NIST declared that sending one-time passwords to mobile phones was insecure.
The organisation wrote in its advisory that the likelihood of interception makes texting unreliable.
"Due to the risk that SMS messages or voice calls may be intercepted or redirected, implementers of new systems should carefully consider alternative authenticators," NIST wrote at the time.
"Out-of-band authentication using [SMS or voice] is deprecated, and is being considered for removal in future editions of this guideline."
NIST stated organisations using SMS for two factor authentication must verify that the supplied number is not associated with a voice-over-IP service.
But scores of organisations use SMS for verification. Google offers it as a fall-back service in place of secure mechanism like its Authenticator app and hardware dongles, as do Twitter, Facebook, and scores more.
Duo Security's Mayank Saha says the statement has had virtually no impact some six months after its announcement according statistics about the use of SMS among its clients.
The firm's customers include NASA, Facebook, Toyota, and Etsy, plus organisations in the government, health, and education sectors.
"Prior to the declaration, we were seeing roughly six to eight percent of two factor traffic in use with our service via the SMS method … after the announcement was made we’ve seen a similar percentage," Saha says.
"There is a notable lack of significant change to the rate of decline after the release of the revised NIST guidelines."
Saha says SMS has this year slowly fallen out of favour with clients but that the NIST advice did nothing to accelerate that rate.
He says push-based authentication which NIST recommends and Google deployed in June is more user friendly and secure than SMS, as are U2F dongles which require users to insert USB sticks into logging in devices. Google also uses the latter login mechanism and plugged it in a recent study Security Keys: Practical Cryptographic Second Factors for the Modern Web [PDF].
SMS authentication is the most universal and arguably useable method of two factor login, primarily because it requires only a phone bearing the right SIM card.
It is easy to subvert, however; attackers with basic target information can easily trick phone companies into porting numbers after passing identity checks. This has been used by fraudsters to ensure banks' transfer warning SMS never reach victims.
The NIST guidance comes some four years after Australia's private sector Communications Alliance lobby group ruled SMS as unsafe for two factor authentication. ®