NIST puts the breaks on a slow-mo train wreck

Gerhard Oosthuizen|04 August 2016
NIST puts the breaks on a slow-mo train wreck

I felt a flicker of recognition reading Dave Birch’s reaction this week to news that the US Department of Commerce’s National Institute of Standards and Technology (NIST) is “deprecating” the use of SMS-based authentication.

Dave’s been deprecating SMS one-time passwords (OTPs or mTANs) for almost a decade. As a very widely read influencer and director of Consult Hyperion, his opinion could be seen as less partisan than, say… ours, and as a result hold greater weight.

Dave’s not so sure. Surveying the damage done by SMS OTPs over recent years, he writes, amusingly: “These are all symptoms of the fact that nobody listens to me about mobile banking security.”

He’s not been a lone voice in the wilderness. The GSMA’s Fraud and Security Group, telco lobby groups, analysts, academic studies – all have deprecated SMS for two-factor authentication over the years. At Entersekt, we’ve had hundreds of discussions with organizations explaining how vulnerable SMS OTPs really are. We’ve shared our thoughts more widely too, in industry presentationswebinarswhitepapers, and blog posts.

OTPs_defeated.png

Many financial institutions have disregarded these and other warnings or at least put off investigating alternatives, perhaps because SMS OTPs have been around so long and were once the dominant form of multi-factor authentication. Attacks on the technology have also varied in ferocity across geographic territories.

South Africa was one of the first markets to move wholesale to SMS OTPs. Today, a large majority of banks there have dropped them in favor of safer, more convenient out-of-band authentication solutions centered on the mobile phone. European banks are fast dropping the technology too.

NIST hastens the demise of SMS OTP

We think the United States will follow suit, especially now that talk of NIST’s new draft version of their Digital Authentication Guideline is all over industry websites and social media. It’s a big step in the right direction and surpasses anything from the FFIEC in driving multi-factor authentication forward.

There are some issues with the draft that Entersekt will highlight in our response to NIST. It throws around the terms “out of band” (OOB) and OTP somewhat promiscuously. An OTP is never truly out of band, whether it’s delivered via SMS or another route. Because it’s entered into a potentially compromised, primary channel, it will always be vulnerable to man-in-the-middle attacks.

But there are a lot of things that are right in this document. NIST is quite specific about what an ideal solution would look like.

The specification talks about three Authenticator Assurance Levels (AALs). AAL 2 is two-factor authentication. For AAL 2 attestation, NIST states:

  • “The authenticator SHALL display identifying information about the authentication transaction to the claimant prior to their approval.”
  • “Authentication assertions SHALL meet the requirements of [bearer or proof-of-possession] assertions.” They should be stored.
    (For AAL 3 attestation, NIST mandates proof of possession, stored as a record.)

NIST also says:

  • “Mechanisms such as smartphone applications employing secure communications protocols are preferred for out-of-band authentication”
  • “The [cryptographic] key SHOULD be stored in the most secure storage available on the device (e.g., keychain storage, trusted platform module, or trusted execution environment if available).”

And that killer quote:

  • OOB using SMS is deprecated, and will no longer be allowed in future releases of this guidance.” (Yes, they actually did put that first part in bold, the only such formatting in the entire document.)

These features will all be familiar to Entersekt’s customers. We have provided mobile-PKI-based authentication and transaction signing out of the box for years in the form of Transakt. Our roadmap is way ahead of this, but we are elated that the world is catching up!

About the author

Gerhard Oosthuizen

Gerhard Oosthuizen

CTO

Gerhard provides the organizational and operations heft to turn vision into reality. His role at Entersekt represents the CTO function in its purest and most exciting form. Our purpose is, after all, to design and build high-performance, market-leading software and support systems for an international customer base with extremely high expectations.

Subscribe to our newsletter for our latest news, press releases and events

logo entersekt

Entersekt is an international software development company based just outside of Cape Town, South Africa.

We are leaders in authentication, app security, and payments enablement technology, offering a highly scalable solution set with a track record of success across multiple continents.