SMS is currently used as an easy-to-implement and ubiquitous out-of-band authenticator. Unfortunately, sophisticated hacks have made SMS authenticators insecure.
As evidence of the broad, regulatory deprecation of SMS authentication, one can look to the August 2016 National Institute of Standards and Technologies Special Publication of 800-63B, Digital Authentication Guideline.
REL-ID, Uniken’s continuous, omni-channel authentication solution, meets all of the requirements as defined by the latest NIST guidelines
Up to now, there have been a number of well documented SMS hacks. One prominent example is the Chief Technologist of the Federal Trade Commission (FTC) who had her mobile phone SIM card copied by simple social engineering at a phone store in Ohio. All the thief needed to know was her phone number and her name and make a fake ID. While the specifics of the hijack didn’t state if additional checking was done, asking for her SSN or other PII would not necessarily have been a deterrent.
Commonly available PII such as names, current and previous addresses, SSNs, and phished or stolen passwords are subject to significant exploitation due to wide spread and well documented PII leakage and theft from enterprises and governments. As an example of a broad based PII theft, you can look to the Office of Personal Management PII data breach.
In addition to in-store social engineering, there are other simple hacks such as SIM card replacement hijacks through call centers. There are also more succesful and more sophisticated attacks like utilizing fake cellular towers (i.e., IMSI catchers / “stingrays). Even weakness in SS7 (the protocol used within and between TelCos for the voice networks) can be exploited by hackers as documented in the CBS 60 minutes segment.
What does NIST expect?
In an effort to distinguish appropriate levels of prevention against these attacks, NIST defines both “authenticators” as well as “the levels of assurance.” More specifically, NIST states that “Subscriber authentication is performed by verifying that the claimant controls one or more authenticators (called tokens in earlier editions of SP 800-63) associated with a given subscriber. A successful authentication results in the assertion of an identifier, either pseudonymous or non-pseudonymous, and optionally other identity information, to the relying party (RP)”. NIST further defines Authentication Assurance Levels (AAL) from 1 to 3. Each Authentication level builds on the level of assurance. The levels are:
- AAL 1 provides single factor remote network authentication, giving some assurance that the same Claimant who participated in previous transactions is accessing the protected transaction or data.
- AAL 2 provides high confidence that the claimant controls the authenticator registered to a subscriber. At least two different authentication factors are required.
- AAL 3 provides very high confidence that the claimant controls the authenticator registered to a subscriber. Authentication at AAL 3 is based on proof of possession of a key through a cryptographic protocol.
The combination of various types of authenticators (one or more), as well as the security of the channel in which the authenticators operate, that defines the Authentication Assurance Level. All AALs require a Man-In-The-Middle proof channel while AAL3 further requires Verifier Impersonation Resistance (VIR). The VIR requirement is intended to augment the AAL with phishing resistance, such as client-authenticated TLS. Because a TLS client signs the authenticator output along with earlier messages from the protocol that are unique to the particular TLS connection being negotiated, TLS can meet the VIR requirement. The VIR standard also allows other protocols so long as they irreversibly make the authenticator unusable by a fraudulent verifier.
Does SMS meet the NIST standards?
In addition to the previously stated SMS hijacks, SMS does not offer valid Verifier Impersonation Resistance. The user (claimant) has to manually validate that the system they are connected to is the right system - SMS provides no such integrated capability. The reliance on the end user to manually validate a remote site is often beyond the skills of an average user, nor is it encouraged by the user-interface designs of typical browser and SMS-authentication systems.
As for message privacy, SMS is unable to send or receive information in private; nore is SMS able to provide assurance that messages are uniquely addressable, meaning that only one device can receive a given message. As virtual VoIP devices have become more popular, SMS uniqueness can no longer be guaranteed.
What should be used?
Given the issues with SMS uniqueness and VIR, NIST regulators, along with many experts in the security field, assert that in lieu of SMS, “Mechanisms such as smartphone applications that employ secure communications protocols and uniquely identify the out-of-band device SHOULD be used for out-of-band authentication.”
REL-ID, Uniken’s continuous, omni-channel authentication solution, meets all of the requirements as defined by the latest NIST guidelines. Without sacrificing the user experience, REL-ID simultaneously and mutually (client & server) authenticates in a manner that ensures 100% authentication confidence for both sides of the connection with zero risk of credentialing material being subverted by nefarious sites. The protocol at the heart of REL-ID is man-in-the-middle and phishing proof. Moreover, the protocol is built to facilitate continuous revalidation of the device fingerprint for the duration of a session.