NIST 800-63B: deprecating the use of out-of-band SMS for two-factor authentication

August 27, 2016

This week, NIST announced 800-63B - a draft special publication named ‘Digital Authentication Guideline’ for ‘Authentication and Lifecycle Management’. Within this draft, NIST is deprecating their recommendation of using SMS as a delivery mechanism for one-time-passcodes as an out-of-band authentication method.

At SecureAuth, we agree with NIST’s guidance. As a security vendor where authentication is in our DNA, we have believed and demonstrated that basic two-factor authentication alone is no longer enough.

In today’s world where credentials are being stolen daily, the large uptake of SMS as a basic form of two-factor authentication is of no surprise. It’s been relatively easy for companies to implement - the availability of cell phones is now widespread, and while the user experience is not fantastic, it’s generally acceptable given the increase in security.  The reality is though, organizations (whether it’s for corporate or consumer use) are still not doing enough around securing authentication.

However, with this news, it’s important not to throw the baby out with the bathwater. There is arguably some sensationalism being generated in the media as a result of this news, and while we’d advise any SecureAuth customers to use more than just basic two-factor authentication, (such as adaptive authentication techniques or a more secure second-factor method like mobile push) hope is not lost for those organizations that are still using SMS one-time-passcodes.

Per the new guidance from NIST, SecureAuth customers using SMS based one-time-passcodes can already begin to meet the new requirements of the draft.

To begin with, SecureAuth IdP is able to ensure that any access for changes to the pre-registered telephone number are protected by two-factor authentication. Similarly, SecureAuth can also ensure that the receiving telephone number for the SMS one-time-passcode isn’t virtualized, e.g. a VOIP number. We reduce risk today by blocking all virtualized telephone numbers that are not US based, and while we do allow this for US numbers (due to the widespread use of Google Voice) under NIST’s guidance we are now considering blocking this globally once we've considered customer impact.

For those SecureAuth customers that are still concerned about the use of SMS as a basic form of two-factor authentication, there are alternatives such as receiving a spoken one-time-passcode via a telephone call, or using more secure forms of two-factor authentication known as ‘push' that leverage Apple and Google end-to-end encrypted networks.

While these push methods depend on a user possessing a smart phone, this out-of-band method of authentication uses a secure communication protocol for the delivery of the one-time-passcode (or the acceptance of the user granting the authentication request). This conforms fully to NIST’s guidance per the current draft and provides not only a more secure alternative to SMS one-time-passwords, but also an improved user experience for the end user.

While the theme of this article has centered around two-factor authentication and navigating this draft publication from NIST, for those customers who wish to go beyond just two-factor, SecureAuth can also offer additional layers of risk analysis afforded by using Adaptive Authentication.

Adaptive authentication performs risk analysis of the user pre-authentication: before the user is even sent a one-time passcode or prompted for a second factor. These additional layers of risk analysis include: analysis of the authenticating IP address against known threats, analysis of the geographic location combined with logging history, and analysis of aspects of the user’s endpoint device. Adaptive authentication can mitigate risk and help organizations move beyond just two-factor authentication.

  • SecureAuth

Suggested reads

Ready for a Demo?

Eliminate identity-related breaches with SecureAuth!