9th - Aug - 2016
NIST proposed deprecation of SMS for 2-factor authentication 2FA may lead to 72 percent of Americans not adopting 2FA at all
I went on vacation a few weeks ago and returned to a world seemingly in panic over the draft NIST Guidelines on Digital Authentication and its deprecation of SMS for use in 2-factor authentication (2FA). After reading countless articles I was disappointed at the apparent media frenzy with their circular reasoning and lack of fundamental research required to outline the true risks and implications of this proposal to businesses and consumers. The risks of using SMS in 2FA identified by NIST are not widely understood and I would have liked to see far more emphasis on what can be done to mitigate these risks without assuming that SMS will at some point be removed from 2FA altogether.
It is interesting that much of the publicity and attention has been on SMS, but many (if not all) of the weaknesses with SMS are identical for voice and as such deprecating SMS would most likely lead to the deprecation of voice in time too.
Credit must go to John Fontana for Identity Matters (ZDNet), Violet Blue (Engadget) and Michelle Maisto (eWEEK) for at least calming the frenzy and bringing some clarity to the debate. Credit must also go to Paul Grassi from NIST for writing a blog outlining the reasons for their draft decision which went a long way to calm the nerves of many.
In this blog, I will argue that whilst SMS has some weaknesses, it is the only out of band authentication type with the ubiquity and convenience that could have driven the adoption of 2FA by mainstream, non-technical users so fast over recent years. I believe that deprecating SMS now will lead to slower adoption of 2FA across all Authenticator Types and inhibit reaching NIST’s overall objective, which is to encourage businesses to always use 2FA. Ease of use and convenience is by far the most important aspect of 2-factor authentication adoption and SMS leads the pack in terms of overall adoption for this reason.
As we know from recent media stories the fundamental email address combined with password (memorized secret) combinations are extremely weak. Adding 2FA (regardless of Authenticator Type) significantly increases security; so it is no surprise that NIST would like to see this become a reality.
In this blog I will attempt to break down the discussion into something that is better structured and researched and just in case you don’t want to read the whole thing, the conclusions are as follows:
The NIST suggestion to deprecate SMS is premature and will damage the overall adoption of 2-factor authentication by businesses and users alike.
Not offering SMS as a 2FA alternative to time-based one-time password (TOTP) applications will make it extremely difficult and costly for businesses to deal with users who have had their devices lost or stolen.
Only 79.1% of US subscribers currently have a smartphone, of which more than half only download an app very, very rarely. This leads us to conclude that, without SMS, more than 72% of Americans will be stuck without a viable 2FA solution.
The weaknesses of SS7 and SMS are exaggerated when trying to attempt a remote hack en-masse and consequently mobile operators should focus on securing their networks and proving to NIST that these intercept risks have been resolved.
Firstly, who is NIST? Some international readers may not be familiar with who they are and what they do. Basically they are “a measurement standards laboratory, and a non-regulatory agency of the United States Department of Commerce.” An important point here is that they encourage businesses to follow the standards they set, but they cannot force anyone to adhere to them. The US Federal Government however may be required to comply with their standards
Secondly, it should be noted that the NIST guidelines are currently in DRAFT form and anyone who wishes to make comments can do so here. It’s likely that the final recommendation will only take place early next year.
I’ve created a diagram to try and explain the rationale by NIST to propose deprecating SMS from two-factor authentication.
In summary, NIST wants to deprecate SMS for use in 2-factor authentication because a.) more secure methods (albeit less convenient) exist, and b.) SMS is perceived as being insecure largely because of the amount of recent press articles discussing the weaknesses of SS7 that have found their way into mainstream media.
Are there more secure methods than SMS 2FA without losing the convenience?
It is important to emphasise that ‘deprecate’ in this context is not banning or disallowing but rather recommending other methods are used in its place. Paul Grassi writes on the NIST blog that they simply want to discourage the use of SMS because
you can use this puppy for now, but it’s on its way out.
There is no denying that more secure methods do exist provided that the user is willing to download a TOTP or other app and configure that app to work with a particular service. This seems unlikely to be done across mainstream, non-technical users for the reasons cited below. Furthermore this method, albeit more secure, is no silver bullet for replacing SMS entirely.
For the purposes of this blog I will assume that all smartphones are protected by at least a 4-digit pin (or fingerprint) and that in the event of a phone being lost or stolen it will be reported very quickly after the fact so as to ensure that the SIM card is rendered useless. The security implications of this not being the case is therefore out of scope of this blog.
If we assume this to be true then a fundamental issue with the TOTP method arises when you lose your device or get a new one as I recently discovered; the only way that I could access my personal email on Google (which had 2-factor authentication enabled) was to use SMS, as I needed to have access to my account before I could re-configure my Google Authenticator app on my new device.
Without SMS I simply would not have been able to access my account without going through a 3-day process with Google to prove that I had lost my device. I therefore conclude that both should be used as a backup for the other and that SMS plays a fundamentally important role in this use case.
As you can see from the Forbes / Statista (Source: Gallup) study in 2015, users are most likely to change their phone every two years, which on a rolling basis, is around 8.3 million people per month changing their device; this is a vast amount of people who will discover their TOTP app cannot easily be transferred to another device without SMS 2FA. See image below of the options to login to Google with a new device.
We have seen similar co-dependencies in the world of OTP messaging apps whereby apps such as Viber, Whatsapp etc., use SMS and Voice to validate and map a device to a telephone number. Given that SMS should always be used as a backup, then the overall security of a service will always be only as strong as SMS, and to that end I would far rather have mobile operators focus on increasing the security of SMS in 2-factor authentication by installing firewalls than encourage businesses to disband it.
It should be noted that while TOTP apps are more secure, there are still vulnerable to attack just like any other software. Whichever TOTP app you use, you need to make sure they are trusted to keep it updated (without losing service configurations) and will be in business for perpetuity. Failure to ensure this and you risk leaving all your users stranded and having to ask them to change their authenticator app at some point.
Lastly, looking at the number of US mobile phone subscribers that have a realistic chance of actually downloading at TOTP app; we forget that not everyone in the world has a smart phone and as a consequence using SMS again becomes the best method for these users. Comscore currently believes US smartphone penetration sits at 79.1%, leaving nearly 21% of the population unlikely to use any mobile based out of band authentication type (except SMS).
This however is not the whole story, as the number of users that ever download an app on their smart phone is extremely low, with 65.5% of those users hardly ever downloading an app. Which means that 72% of the US population are unlikely to ever download an alternative to SMS 2FA.
Is SMS really non-secure?
NIST outlines two primary concerns, one being very specific to virtual numbers (i.e. numbers not associated with a physical device, such as VOIP or numbers linked to an app), or a physical number that has been configured to be received via an IP service. This includes numbers such as those provided by Skype, or even accessible on iMessage via your desktop. The concern here is that although these services are not necessarily insecure, they are only as secure as their own access security standard, which in most cases are usernames and a memorised secret which are thus susceptible to remote attacks at scale without triggering a warning to the owner of the number that it has been compromised. I think this is a legitimate concern but we can go a long way in solving this concern by a.) reminding users not to use these services on numbers that are being used for 2FA b.) do a MNP lookup as part of the number validation service to ensure that the number is not a VOIP or virtual number.
The second concern relates to how physical numbers can be intercepted through weaknesses in the SS7 infrastructure. These weaknesses have been relatively well documented by various studies and media articles, but in my view the risks associated with these weaknesses have been significantly overstated in the media due to lack of understanding of the SS7 network and the starting assumptions being assumed as ‘access to the SS7 network that can reach the victim’s network is easy to obtain’.
Their fundamental starting assumptions assume the attacker has:
the telephone number of the victim. This may seem trivial in a targeted attack but pulling off a hack en-masse would require a mapping of usernames, emails and mobile phone numbers which is not trivial.
access to the SS7 network. Many of the demonstrations suggest that getting access to the SS7 network is trivial and the attacker has access to this network.
access to a SS7 network which in turn has signalling reach and/or a roaming agreement with the victim’s home network.
ensured the victim’s home network does not have protection against this type of fraud and / or not monitoring for it.
ensured the victim has roaming enabled on their account or this could be manipulated in some way by the attacker separately.
in-depth SS7/Sigtran expertise and equipment to pull off the hack (probably requires $10k investment to do it properly).
the ability to coordinate the sending of a 2-factor message during the time window in which the SIM card has ‘roamed’ to the fake network.
left no evidence and cannot be traced.
In order for all 8 points to be satisfied, I would argue that the attacker would need to be a rogue employee inside a carrier with sufficient rights to intercept a message. Gaining access to the victim’s mobile operator SS7 network from the outside (i.e. not from another large MNO network) seems to be as likely as compromising the firewall of the service provider you are trying to hack. Pulling off a hack en-masse involving victims from multiple carriers during a very small time window seems extremely unlikely.
Interestingly Verizon and Sprint are immune to this type of roaming intercept fraud due to the fact that they are CDMA and not GSM networks. As they roll out 4G LTE this may change but as of right now they are probably the most secure as it relates to SMS 2FA. This is roughly 50% of all subscribers. A simple mitigation to this ‘roaming intercept’ risk on the other networks is to perform a HLR lookup of the telephone number before authenticating a user to ensure they are on their home network and not roaming.
The other threat that is commonly cited when discussing SMS security is the relative ease someone can obtain a clone of your SIM card and/or get a customer care agent to reveal the contents of a SMS. While much has been made of the idea that a person can trick a mobile carrier store employee into making a new SIM for an alternate person, this can clearly not be done en-masse and has the high probability of detection, both from the real person having network authentication fail and from in-store records and video identifying the perpetrator. Similarly, getting an inside, technical employee of either a carrier, aggregator, or sending company to access SMS message logs and reveal the contents of a specific message seems highly unlikely at scale or in situations where the goal is to thwart security methods, such as 2FA.
Lastly, it is true that malware can intercept an SMS message on a device (particularly on Android), but one could argue that this is not a weakness of SMS, but rather a weakness of the mobile operating system and/or anti-virus software.
Recommendations to Businesses
- Continue to use SMS 2FA for most typical business applications. Consider using other 2FA methods for the most critical, high-security use cases. Give users a choice between SMS and TOTP apps in many situations, and as a backup for one another.
Recommendations to Mobile Operators / Carriers
Block all SS7 access from operators that do not have roaming agreements
Implement SS7 and SMS Firewalls to monitor and detect for intercept fraud
Understand threat vectors and constantly mitigate these risks
Frequently undergo penetration testing to ensure the SS7 network is secure
Ensure IR21’s are kept commercial confidential and try and use non sequential Global Titles for core network infrastructure
Work with standards bodies including NIST to better explain the likely risks associated with SMS 2FA
Allow providers legitimate paid access to HLR lookup (without full IMSI) to ensure that roaming intercept fraud could be determined.
Recommendations to Consumers
Auto-lock your phone and require passcode or fingerprint to unlock
Enable 2FA on all accounts with either SMS or TOTP
Protect device from malware
Turn on roaming only when you are likely to go abroad
Determine whether any of your email address(es) have ever been hacked by visiting haveibeenpwned.com and never use those passwords ever again
Use howsecureismypassword.net/ to choose a strong password and ensure you use different password and / or email addresses for each service. Remember a 3 word password (e.g. fish.hammer.cake) is orders of magnitude stronger than an 8 digit string of random letters / numbers and far more memorable.
Having personally found my Myspace, Linkedin, Adobe and Tumblr email and password on the public internet it’s no surprise to me how often this type of simple authentication gets hacked, and why one hack can lead to many others. Use a strong password and ensure you use different password and / or email addresses for each service.
The ease, convenience and ubiquity of SMS in 2FA is our only collective chance of rolling out 2FA across a mass audience any time soon. It offers a sweet spot between simple username and passwords (which are not secure), and the more advanced secure TOTP solutions that exist today.
Businesses should continue to adopt SMS for 2FA for most types of services as this is significantly more secure than not using 2FA at all. For those businesses and consumers that want to take additional precautions this blog offers up a number of mitigations including doing MNP / HLR lookups before each authentication.
It is strongly recommended that the Mobile Operator community work to reduce the risks of roaming intercept fraud, or at the very least, speak out in the media on how well they understand and have mitigated against these risks.
By far the most important outcome is to have every company adopt 2FA in some way, and then encourage all consumers to adopt it. SMS will help with that adoption because; a.) more than 72% of Americans either do not have a smartphone or are unlikely to download and configure a 2FA app, and b.) changing devices without SMS on 2FA enabled services can be time consuming and frustrating for businesses and users alike.
It should be remembered that security is not just about technology, but rather about company policies and processes. In my view weaknesses in this area poses a far greater risk than the weaknesses of SMS in 2FA.
Our overall recommendation to NIST is to NOT deprecate SMS but to continue to advise that SMS for many/most 2FA uses can be used, and recommend ways to increase security when needed, as outlined in this blog. For services that are particularly high-risk or high-loss situations we agree that TOTP or equivalent is a better solution provided that users are likely to adopt it.
Author: Rob Malcolm, VP Marketing & Online Sales at CLX Communications