By Karin Tansey
We’ve all been there. You forgot your password and are about to embark on the dreaded password reset process. Here you are informed of the need to have a one-time passcode (OTP) sent to your email address or mobile phone via short message service (SMS). You must then retrieve that OTP and validate it in order to set a new password.
Welcome to Out-of-Band Authentication (OOBA).
So why would anyone think SMS two-factor authentication is going away? Well for those not in the know, in June 2017, the National Institute of Standards and Technology (NIST) updated its Digital Identity Guidelines, including updated OOBA rules. NIST is a non-regulatory agency of the United States Department of Commerce that provides standards to help make information systems more secure, usable and interoperable. Essentially, they are the guiding North Star for the rest of us to ensure we are addressing these standards when developing new products and solutions.
So, what happened?
In the same June 2017 release for Digital Identity Guidelines, NIST tacitly acknowledged the dangers of the 21st century. Simply put, the report determined the current protocols for SMS delivery within the Public Switched Telephone Network (PSTN) were weak and capable of exploitation, therefore warranting an update to their guidelines around OOBA. Specifically, the item that caught a lot of attention was that they required additional steps for the verifier, or the issuer of the OTP to properly validate the recipient of the SMS when using telephony to deliver OTPs for authentication purposes.
The main takeaways:
- Email and VoIP are weak. “Methods that do not prove possession of a specific device, such as voice-over-IP (VoIP) or email, SHALL NOT [is prohibited to] be used for out-of-band authentication.1”
- Verify then send. Senders of OTPs via the PSTN “SHALL verify that the pre-registered telephone number being used is associated with a specific physical device.2” In NIST parlance, “SHALL” is interpreted as a requirement. This applies to both SMS and Phone call deliveries of OTP PINs.
- Here today, gone tomorrow. As threats to the PSTN system and the systems themselves are most certain to evolve and change, “NIST may adjust the RESTRICTED status of the PSTN over time.3” So the status could change to completely eliminate this channel or reinvigorate it, only time will tell.
Now what do I do?
Since email and VoIP are no longer valid options, what’s a verifier to do?
The point is that the Verifier must first make sure that they are identifying the devices and communicating in accordance with these guidelines. As more and more companies are often sending OTPs to mobile phones, fraudsters have kept pace by developing means to compromise them through techniques like SIM Swapping. In this example, the bad guy pretends to be you and convinces a customer support representative at the mobile carrier that you lost your phone and to activate a SIM card for another phone in their possession.
In an acknowledgement to this attack vector, NIST noted that verifiers “SHOULD consider risk indicators such as device swap, SIM change, number porting, or other abnormal behavior before using the PSTN to deliver an out-of-band authentication secret4” and that “Changing the pre-registered telephone number5” is considered a new authentication event that needs to be properly handled.
In response to the NIST report, Early Warning took immediate steps to enhance its current OTP solution by fortifying it with Mobile Network Operator (MNO) data that helps associate the ownership of the device to the intended recipient the SMS is being sent to. This new solution helps Verifiers identify risk indicators, prior to sending out that OTP in order to make an informed authentication decision. Ask the right questions and know the answers before you send that OTP and you’ll be taking one very large step towards securing your out-of-band authentication solutions.
Interested in hearing more about securing your current out-of-band authentication solutions?
Be sure to look out for part two of this SMS out-of-band authentication blog series where I’ll go deeper into securing OTP message with MNO data. I’ll also cover the importance of balancing the right amount of friction that provides your good customers quick and seamless accessibility to accounts, while keeping the fraudsters out.
About the Author
Karin Tansey is Sr. Director of Product for Authentication and Mobile product lines for Early Warning. Ms. Tansey has been delivering network security and mobile solutions for over 15 years. An avid Xbox gamer, she thoroughly enjoys developing and delivering new solutions for out-of-band authentication and mobile multi-factor services.
“Digital Identity Guidelines Authentication and Lifecycle Management,” National Institute of Standards and Technology, June 2017.