The National Institutes of Science and Technology (NIST) routinely formulates guidelines for helping organizations properly secure their networks, systems, and other resources. Over the last year, there has been quite a bit of movement back and forth as to the role of multi-factor authentication (MFA) - such as one time password (OTP) by text message and other methods. The reasons behind the changes revolve around the perceived security deficiencies of some methods of MFA in common use, leading to NIST first removing MFA as a recommendation, then adding it back based on the requests of industry security leaders and corporate security teams.
MFA is, simply put, requiring the use of a second method of identification beyond primary methods such as username and password. Time-sensitive OTP, push notifications that require the user to authorize the login via a smartphone or other connected devices, and email verification links are all common MFA methods used by companies and services today. Using MFA is much better than just requiring a username and password alone, but each of the common methods for MFA have potential security holes that must be addressed for them to be used safely, causing the hesitation on endorsing MFA in general by NIST.
Authentication by email link can be overcome by a bad actor gaining access to the email system for one or more users and intercepting the email login requests. OTP or links sent via text messaging can be breached by bad actors cloning phones or intercepting SMS messages directly. Even some more complex MFA solutions like push-to-accept via a smartphone application can be intercepted by determined attackers. While these methods of attack would take a serious effort to achieve, all of them have been seen “in the wild” and have been successful in the past.
NIST has recognized that MFA alone can be overcome if an attacker is proficient enough in using the right tools, and therefore was hesitant to recommend that MFA be used as a primary part of the overall identity and access management protocols of a secure organization. While they were right to do so based on facts alone, there were several reasons why other organizations began to encourage NIST to reconsider. MFA is more secure than username and passwords alone, and when used in conjunction with other safeguards it can be used with minimal risk of bad actors compromising the system.
Such safeguards include limiting MFA to methods that are less likely to be intercepted or compromised. Requiring the use of smartphone apps combined with verification that the phone in question is recognized and hasn’t been ported or moved to unlikely cellular networks, for example. Using adaptive authentication methods to determine user location also ensures that a user who is supposed to be in Chicago isn’t attempting to sign in from Bangkok. Taken together, MFA can become a powerful tool to screen out unauthorized users and those who are attempting to authenticate via cloned or otherwise breached devices.
NIST was not incorrect to initially hesitate to endorse MFA as a sole method for identity assertion. However, they were eventually encouraged to reconsider that opinion due to technologies that are readily available to remove the ability of bad actors to overcome safeguards around MFA. Organizations should take this into account, and leverage true adaptive authentication to keep MFA safe, and make the user experience even better while keeping the bad actors out.