August 14, 2018
The 2FA Fall from Grace: NIST Calls for the End of SMS Two-Factor Authentication
Posted July 29, 2016
In the age of highly organized, complex and evolving cybercrime attacks, effective digital authentication has become more challenging than ever. Businesses are walking a tightrope between verifying who they are transacting with while minimizing friction that can cause frustration at best, and defection to a competitor at worst.
It can feel like a no-win situation. Usernames and passwords are all but dead in the water. Numerous high profile data breaches have flooded the dark web with user credentials that can be bought and sold in huge batches, for use in mass automated bot attacks that hammer big businesses at a rate of millions per day. A verified login via a username and password simply cannot be trusted.
Until recently, many organizations saw SMS two-factor authentication (2FA) as the holy grail; an effective and simple solution that sent a one-time SMS to the trusted user’s device to check they are the person transacting. However, this week brings us the news that the US National Institute for Standards and Technology (NIST) is advising that SMS 2FA be phased out as a recommended authentication solution. Drastic? Well, yes, but it highlights just how rapidly the cybercrime landscape is evolving; showing businesses in no uncertain terms that single-point fraud solutions are simply not enough.
Let’s examine the recommendation in more detail. NIST are concerned that SMS 2FA is just not secure enough for reliable authentication. There are multiple avenues for fraudsters to exploit. The device itself may have been the catalyst for the original fraud – if a fraudster gets his hands on a stolen device and gains access to online accounts, the SMS verification is delivered directly into his hands. In the same vein, a fraudster may succeed in convincing the mobile phone operator to send out a new SIM card via a clever social engineering attack, redirecting SMS messages to the fraudster’s device. Likewise, SMS messages are far from secure and can be intercepted via device spoofing and SIM card cloning. Finally, fraudsters have successfully tricked banking customers into installing SMS-forwarding software in order to authenticate fraudulent online transactions. However, SMS 2FA does provide an extra layer of protection, in some situations, and this shouldn’t be discounted.
For example, if a fraudster bought a huge list of stolen usernames and passwords, and launched a bot attack to test the validity of these credentials, SMS 2FA would give user accounts some protection. The fraudster is unlikely to be able to pass the 2FA check and therefore user accounts would remain secure. The relevant point here is, 2FA is just one part of the overall authentication jigsaw, and for some fraud attacks, it remains an effective defense..
The point NIST raises though is a valid one, it is not as secure as businesses might think, and should certainly not be used as the key method of online authentication. So what is the solution to this authentication conundrum? Well of course there are more secure versions of 2FA which can form a pivotal role in authentication strategy, including hardware tokens, secure applications and biometrics. The challenge for digital businesses is that the first two of these options introduce more friction into the transaction process, and the third, although more secure, can be error prone. In both cases, the risk is an unhappy customer.
This guideline details a separation of credential authority, registration authority and authenticator to make sure the integrity of the authentication process is not compromised. This approach is already the foundation of how ThreatMetrix looks at digital authentication. ThreatMetrix believes the most effective solution lies in a layered approach to authenticating user identities, built upon a passive solution that works in real time, but does not subject trusted users to unnecessary friction. A risk-based model that tailors the level of authentication to individual users depending on how, why and where they are transacting, and whether this corresponds to expected behavior. This is the heart of the ThreatMetrix approach and it harnesses the inherent power of Digital Identities. The beauty of this solution is that effective 2FA strategies become part of the overall approach, rather than the potentially risky endpoint.
The ThreatMetrix Digital Identity Network harnesses global shared intelligence from millions of daily consumer interactions including logins, payments and new account applications. Using this information, ThreatMetrix stitches together a user’s unique digital identity by analyzing the myriad connections between devices, locations and anonymized personal information. Transactions can be passively authenticated in real time against trusted patterns of behavior: high-risk anomalies are accurately identified for review while genuine users experience minimal friction.