SMS is currently used as an easy-to-implement and ubiquitous out-of-band authenticator. Unfortunately, sophisticated hacks have made SMS authenticators insecure.
As evidence of the broad, regulatory
REL-ID, Uniken’s continuous, omni-channel authentication solution, meets all of the requirements as defined by the latest NIST guidelines
Up to now, there have been a number of
Commonly available PII such as names, current and previous addresses, SSNs, and phished or stolen passwords are subject to significant exploitation due to wide spread and well documented PII leakage and theft from enterprises and governments. As an example of a broad based PII theft, you can look to the Office of
In addition to in-store social engineering, there are other simple hacks such as SIM card replacement hijacks through call centers. There are also more
In an effort to distinguish appropriate levels of prevention against these attacks, NIST defines both “authenticators” as well as “the levels of assurance.” More specifically, NIST states that “Subscriber authentication is performed by verifying that the claimant controls one or more authenticators (called tokens in earlier editions of SP 800-63) associated with a given subscriber.
The combination of various types of authenticators (one or more), as well as the security of the channel in which the authenticators operate, that defines the Authentication Assurance Level. All AALs require a Man-In-The-Middle proof channel while AAL3 further requires Verifier Impersonation Resistance (VIR). The VIR requirement is intended to augment the AAL with phishing resistance, such as client-authenticated TLS. Because a TLS client signs the authenticator output along with earlier messages from the protocol that
In addition to the previously stated SMS hijacks, SMS does not offer valid Verifier Impersonation Resistance. The user (claimant) has to manually validate that the system they are connected to is the right system - SMS provides no such integrated capability. The reliance on the end user to manually validate a remote site is often beyond the skills of an average user, nor is it encouraged by the user-interface designs of typical browser and SMS-authentication systems.
As for message privacy, SMS is unable to send or receive information in private;
Given the issues with SMS uniqueness and VIR, NIST regulators, along with many experts in the security field, assert that in lieu of SMS, “Mechanisms such as smartphone applications that employ secure communications protocols and uniquely identify the out-of-band device SHOULD be used for out-of-band authentication.”
REL-ID, Uniken’s continuous,