September 20, 2018
NIST Initiates the Demise of SMS 2FA in Banking
Posted August 30, 2016
In our previous blog, we discussed some of the ramifications of new rules set forth in the Digital Authentication Guideline from the US National Institute for Standards and Technology (NIST). NIST advised that SMS two-factor authentication (2FA) be phased out and will no longer be considered an approved out of band authentication method. Although many banks utilize the NIST framework for improving cybersecurity, adherence is voluntary and typically relegated to top-tier financial institutions.
Don’t let the voluntary nature of NIST adherence fool you – failing to follow NIST advice can lead to grave consequences.
FFIEC and NIST
We have seen the Federal Financial Institutions Examination Council (FFIEC) reference the NIST Cybersecurity Framework in the Cybersecurity Assessment Tool (CAT) released in 2015. While NIST may not carry sufficient sway over the financial services sector, the FFIEC and member agencies certainly do.
Two points to consider. First, the FFIEC (or member agencies) could potentially adopt the NIST recommendation, rendering SMS 2FA insufficient as an authentication method. Second, and more likely, the FFIEC (and member agency) examiners might very adopt the NIST recommendations as a de facto standard. Remember, regulatory rules and mandates are continuously reinterpreted by the field examiners in light of newly identified risks and FFIEC guidance has been referred to as “living documents”. Banking examiners could cite the NIST advice and push back on SMS 2FA during audits.
Another outcome of the NIST position is its effect on liability in banking cyberfraud cases. While this is not so much an issue in the consumer banking space due to Reg E requirements, it will likely have a material impact on commercial banking cases. Commercial banking fraud is generally governed by Uniform Commercial Code Article 4A (UCC4a), which requires a “commercially reasonable method of providing security against unauthorized payment orders.” Because UCC4a does not explicitly define commercially reasonable security methods, virtually all recent litigation has referred to FFIEC requirements to help define minimum cyber security expectations.
Due to the dearth of regulations explicitly outlining commercially reasonable security methods, we expect future court cases to call upon the NIST Digital Authentication Guideline to define minimum expectations. NIST’s explicit deprecation of SMS 2FA will certainly make a powerful argument in favor of commercial customers who experience fraud in spite of using this authentication approach.
Putting the recent NIST recommendation aside, most cybersecurity experts have bemoaned the dangers and limitations of SMS 2FA for some time as cybercriminals have successfully bypassed this control numerous times. We urge all financial institutions to consider both passive and more user-friendly interactive authentication methods that are both strong and convenient as part of a layered approach to authenticating user identities. Finally, we urge US financial institutions to consider the regulatory and legal implications of deploying SMS 2FA as in authentication factor.
The ThreatMetrix Digital Identity Network harnesses global shared intelligence from millions of daily consumer interactions including logins, payments and new account applications. Using this information, ThreatMetrix stitches together a user’s unique digital identity by analyzing the myriad connections between devices, locations and anonymized personal information. Transactions can be passively authenticated in real time against trusted patterns of behavior: high-risk anomalies are accurately identified for review while genuine users experience minimal friction.