SMA for 2-Factor Authentication: Secure Enough?

From IIW
Jump to: navigation, search

SMS for 2-Factor Authentication


Wednesday 1A

Convener: Sean Brooks and Jim Fenton

Notes-taker(s): Tom Brown

Tags for the session - technology discussed/ideas considered:

Discussion notes, key understandings, outstanding questions, observations, and, if

appropriate to this discussion: action items, next steps:


NIST - part of Dept of Commerce


Broad adoption outside of government (nonprofits, academic institutions)


So, important to get public feedback


NIST SP 800-63- 3 https://pages.nist.gov/800-63- 3/sp800-63- 3.html


In new version, deprecating SMS for out of band authentication mechanism


Deprecation - when we released public draft, lots of articles about "NIST banning use of SMS for

authentication"


Not saying that fed agencies can't use - just trying to signal to market that we don't see SMS as a

reliable option for 2nd factor


Not forbidden from using it


In the technical standards space, it is always a surprise when the media picks up anything at all


NSTIC wrote a clarifying blog post


The idea was to give the marketplace a heads up


SMS is cost effective for many orgs


SMPP (peer-peer) widely used not particularly secure


SS7 - designed w/o particular security, used among carriers, not accessible to as many potential

attackers as internet


social engineering attack on carrier:


"I lost my phone & need to buy another one"


sales person motivated to sell phone but not particularly skilled at verifying identity


FTC: in 2013, 1083 reports of this attack representing 3.2% of identity fraud attack


reported attacks doubled since then. (actual number of incidents unknown)


high profile victims of this attack:

  1. Deray McKesson via Twitter
  2. Ladar Levison


phishing ("verifier impersonation attacks") is not at the same assurance level.


Document recommends that relying parties check to make sure it is a mobile phone rather than

voice-over- ip


we are not singling out sms. document also nixes knowledge based authentication (kba) (e.g. what

is the name of your dog?)


we cannot necessarily point private entities to any specific technologies but do mention five or so

other mechanisms


Ubiquity and familiarity make SMS attractive. just because someone has a smartphone doesn't

mean they understand it.


SMS is not 100% accessible, especially in rural areas


deprecating something isn't meaningful unless there is an alternative


deprecation in the document means: if you can find a better way, you should consider doing it.


if iphone is on, phone will forward message to the icloud


eurograbber malware snagged sms message on phone and sent it off to attacker who could front-

run authentication


phone is intended to be "something you have". we've been using sms to prove you have the phone


alternatives: 1 time password device, crypto token


signal messaging service will detect if you move account to different device by checking device's

fingerprint


some carriers have apis to determine how long a telephone number has been associated with a

specific device.


providers can integrate with carrier apis to verify IMS (sim card) and IME (handset)


PIP standard for fed employees instead of sms


duo, fido tokens, google authenticator


webauthn in w3c to integrate fido in browser experience


federal gov & innovative technologies don't always mix as things take a while