You’ve probably been investigating 2-Factor Authentication (2FA) more and more recently. With each new data breach or password dump in the news, you increasingly realize that security doesn’t end with strong passwords.
The National Institute of Science and Technology (NIST) has deprecated SMS — one popular and widespread method of achieving 2FA. Whether you now need to replace a 2FA method in your organization and implement another, or whether you’re just getting started with 2FA, the NIST announcement definitely signals that it’s time to look for better ways to secure logins.
To provide you with some helpful information on different aspects of 2FA — and how to achieve it without SMS — we’re publishing a couple of blog posts that will explain why SMS has been used for 2FA; why NIST has deprecated SMS; and how you can replace it.
This is the first in a series on 2FA. The following are Parts 2 and 3:
- How to Implement 2FA Security in Your Organization Using Duo Security
- How Your End Users Can Enable Their Mobile Phones to Act as 2FA Devices
Why Was SMS Used For 2FA?
2FA is a process that requires a secondary means of account authentication in addition to a password and username in order to provide stronger authentication of identity, and thus an added layer of security. In its most basic form, a user might provide the answer to a predetermined question after entering their username and password. A more sophisticated and increasingly common scenario is to use a physical token or a mobile phone combined with SMS text or an app like Google Authenticator to provide an additional authentication value. While passwords are typically static (they shouldn’t be, but how often do you change all yours?), the authentication code is temporal, so even a leaked code has limited use. This form of 2FA requires an attacker to not only know an account’s password but also have possession of the victim’s phone, and if the phone is secured properly, have compromised the phone as well. Services like Google, GitHub, and Amazon Web Services provide the option to add this additional security.
Using SMS for 2FA became increasingly popular as mobile phones became a part of everyday usage. People could use an object they already carried around daily instead of having to carry an additional object like a token.
Why is NIST Deprecating SMS?
In the latest draft of its Digital Authentication Guideline, the National Institute of Science and Technology is deprecating SMS:
Due to the risk that SMS messages may be intercepted or redirected, implementers of new systems SHOULD carefully consider alternative authenticators. If the out of band verification is to be made using a SMS message on a public mobile telephone network, the verifier SHALL verify that the pre-registered telephone number being used is actually associated with a mobile network and not with a VoIP (or other software-based) service. It then sends the SMS message to the pre-registered telephone number. Changing the pre-registered telephone number SHALL NOT be possible without two-factor authentication at the time of the change. OOB [Out of Band] using SMS is deprecated, and may no longer be allowed in future releases of this guidance.
According to NIST, they are deprecating SMS for reasons that center on:
- Questions about the ability to deliver authentication codes to a single entity without interception
- Demonstrated weaknesses in Signaling System 7 (SS7), used by global telecom carriers
NIST points out that 2-Factor Authentication is meant to work by requiring a user to provide something they know (e.g., a password) and something in their possession (e.g., a randomized code provided by a piece of hardware). The versatility of SMS makes it difficult to assume that the second factor was distributed only to devices in that person’s possession. First, SMS messages can be sent to VoIP networks. This means that an authentication code can potentially be distributed to multiple end points (a feature of many VoIP services). Communication can be received on a variety of devices, whatever is handy at the time. Unfortunately, this also means that an authentication code can be delivered to a compromised endpoint. One doesn’t need to have access to a user’s physical phone to intercept the second code. They only need access to the user’s VoIP account, which they may be able to access from any geographic location. The SMS protocol was initially thought of as a mobile-to-mobile only communication platform, but VoIP has changed that assumption. For this reason, NIST’s proposal explicitly requires verifying that the phone number is associated with a mobile phone network and not a VoIP service.
In addition, issues exist with Signalling System 7 (SS7), the protocol suite used by most telecom carriers around the world. Security researchers have been able to exploit flaws in SS7 that have allowed the interception of SMS messages. Even in a situation where communication is intended to be delivered to a single endpoint, SMS can no longer reliably guarantee that.
How Can You Protect Your Users Using 2FA if SMS is Not Available?
If SMS is no longer a viable way of achieving 2-Factor Authentication, or if you are not currently using 2FA at all, how can you, as the person responsible for security in your company, increase the security of your organization and your end users?
The simple answer is that you can easily implement 2FA using Duo Security, which provides a service that can be integrated in a variety of places in your environment.
Why Duo Security? At the end of the day, you can choose from any of the numerous 2-Factor Authentication platforms and programs available today. We’ve chosen Duo in this post because of its simplicity, its ease of use, and the fact that it’s a service that we use at Threat Stack.
Implementing 2FA Via Duo Security
Duo is a cloud-based SaaS service that simplifies the management of end users and their 2FA devices. It lets organizations use what almost all of their employees already have — a mobile phone. This removes the burden of purchasing, storing, and managing token devices, which can be onerous for smaller and younger organizations. More established organizations have the option of continuing to use tokens, or they can follow the mobile phone route as well. In effect, the service that Duo provides changes the question from “How does your organization implement and manage 2FA?” to “Why hasn’t your organization implemented 2FA?”
Conclusion and Next Steps . . .
So to restate: Anything you can do to strengthen security of data, devices, and apps in your organization is beneficial, and 2-Factor Authentication is one of the most straightforward means of doing so. With SMS on the way out, you need an alternate means of achieving 2FA (or a new way, if you’re not using 2-Factor Authentication at this point). And one way of doing this is by implementing Duo Security.
In my next post I’ll provide some useful guidance on how you can implement Duo throughout your organization.