Crossmatch supports NIST guidance on SMS OTP – recommends more secure OTP delivery mechanisms.
SMS is used as a convenient two-factor mechanism by many web services to help authenticate users. Often when a user is logging into a website from a new location or from a new device, the website sends a passphrase to the registered cellphone of the user, who can then enter the SMS message into the web form. As many users have a cellphone, this allows for a very inexpensive mechanism to improve authentication above and beyond using just a password.
Vulnerabilities and Insecurity
Unfortunately, SMS is not secure. There are various published attacks about how SS7 network vulnerabilities can be exploited to obtain confidential subscriber information, and SS7 continues to be used by a large majority of cellphone users. SMS delivery is not encrypted and can be intercepted, and SMS messages can be forged – both seriously undermining the security of using it as a delivery mechanism for two-factor authentication information. The vulnerabilities in SS7 are systemic. Attackers can break into the cellular network at a local level and/or a centralized level. There are more modern cellphone infrastructure systems other than SS7 and there are proposals to improve the security of SMS. However, the time and investment it would take for global network infrastructure to rollout a new and improved infrastructure would keep a vulnerability window open for too long.
Alternatives to SMS
Therefore, as there are already superior solutions based on the broadly available capabilities on smartphones, NIST is recommending the migration to those solutions now. The most likely replacement for the SMS messaging is to use an application specific push notification that causes the cellphone to request a user interaction that will be returned to the relying party. Another approach is a time-based OTP delivered on mobile devices such as Google Authenticator or Crossmatch OTP app. Ideally, tamper resistant capabilities would be used on those phones (perhaps managed by a secure operating system) instead of malware-vulnerable applications. Nevertheless, the NIST recommendation is a good step in the right direction.
Crossmatch reminds users that SMS-based OTP, while not secure, still represents added authentication value over a username and password. Using a smartphone hosted OTP is more secure and just as convenient. For more information on multi-factor authentication and our DigitalPersona authentication platform, visit us to continue the conversation.
Greg Cannon is Vice President & Chief Technology Officer of Crossmatch responsible for the Company’s standards involvement, intellectual property, software architecture, biometric algorithm development, and continued innovation excellence.