Revisiting the NIST 800-63-3 SMS Authentication Conversation

It’s been nearly a year since the National Institute of Standards and Technology, commonly referred to as NIST, rocked the two-factor authentication world with its recommendation that classic, traditional Short Message Service (SMS) not be used to deliver One-Time Passwords.

The recommendation—in their draft 800-63-3—set off a wave of debate in the security community over the role of the entrenched SMS authentication method. So loud was the din that NIST put out a blog qualifying their position on the topic.

Despite that, debate continued. So I thought it would be helpful to revisit what has happened in the intervening year regarding two-factor authentication, and SMS specifically, and discuss how the landscape has shifted.

To be clear, NIST was not saying “Stop using SMS,” rather the method had enough security soft spots that organizations currently using the authentication method should look to move off it over time. Further, organizations deploying new authentication methods should avoid it.

NIST used the word “deprecate”, which caused some panic with organizations wondering if they would pass a PCI or HIPPA audit if SMS two-factor were present. Fortunately, this was not the case.

SMS still retains its relatively weak Level 2 status, where it has always sat among the NIST pantheon, and any credible auditor should know that. In fact, for those paying attention to the obvious flaws in SMS—like the fact that SMS is not encrypted through the data hops—none of what NIST was saying was surprising.

We can leave aside for the moment that NIST up until now has never recommended the application of an authentication method, only it’s relative strength vis-a-vis other methods. In that regard, some think that NIST overstepped its bounds.

Classic SMS has few defenders, even as it has seen significant success in banking and social media applications as an easy-to-deploy authentication method that is often the only thing standing between you and a Facebook hack or an iTunes infiltration. Enter your mobile number, user grudgingly accepted.

But if not SMS, then what? After all, in the quest for the ultimate authentication event horizon—to find a method that is nearly invisible, easy to deploy, accepted by end users, and cost effective—where does this leave us?

The NIST debate has had some real impact in the market. While numbers are hard to come by, organizations are turning away from SMS and moving to Push OTP (also known as Push notification, push token, etc.)

Push OTP is the heir apparent and you see it being rolled out in B2C applications at a record pace. Even within organizations, users with smart phones are preferring Push OTP over other methods such as token or smartcard, where IT security policies allow.

Push OTP has many of the same benefits of SMS, in that it’s an easy delivery method, but goes beyond in many respects through more secure data channels. Plus, the approve/decline feature in most cases can even be used with smart watches.

I always encourage customers to think about authentication methods on a security spectrum, with various methods such as e-grid cards and SMS on one end, and more time-tested PKI/smartcard and token methods on the other.

The fact is, you must balance security, cost and convenience. Sometimes the answer is a method like SMS or its more mature, younger sibling Push OTP that can just fit the bill.

After all, having some two-factor in place is better than having nothing at all.

Jeff Carpenter is Director of Identity and Access Management solutions at Crossmatch. In this role, he is responsible for evangelizing Crossmatch’s DigitalPersona® solution. In his 10+ years in cybersecurity, Jeff has held positions with a number of top tier cybersecurity and technology companies, most recently he was with RSA, a Dell Technologies company. Jeff earned a Bachelor of Science degree in Business Administration from Creighton University in Omaha, Nebraska. He holds both a Certified Information Systems Security Professional (CISSP) and a Certified Cloud Security Professional (CCSP) designation.

Market Trends
LPTA is Never Appropriate for Biometrics
Biometric Technology Gaining Traction in User Authentication
Market Trends
The NY State Cybersecurity Rule: Does It Go Far Enough to Prevent a Future Equifax-Type Breach?