Earlier this year, NIST issued guidance (to be picky, in SP 800-63B) surrounding two-factor authentication that leverages SMS (text messages) – basically the way nearly every civilian uses 2FA. The opinion is that SMS is not a reliable “something you have”, for two reasons that have emerged:
- SMS does not necessarily deliver to a handset. Phone numbers can now go to Skype, Google Voice, and other VOIP solutions. All of these introduce points of failure that interrupt the assurance of 2FA – there is less assurance that the second factor is really something you have. When the something you have is a physical token, providing you maintain custody of the token, 2FA is trustworthy.
- There is a growing body of research to suggest that SMS could be intercepted by a third party. Certainly in a VOIP scenario, you can see a broad attack surface – transmission protocol vulnerabilities, vulnerabilities in the VOIP application itself, operating system compromise. Without getting into a lengthy discussion surrounding the mechanics of text message transmission and message encryption from purely a handset perspective, know that it’s enough of a concern for NIST to suggest it to be a risk in terms of providing assurance.
Here is the challenge though. There hasn’t been meaningful adoption of an alternative mainstream 2FA mechanism. Sure, Google and Dropbox and Github and a small number of other apps have adopted FIDO U2F – which leverages tokens – but it’s not a ubiquitous implementation. We don’t see this where it counts yet – at your bank, at your credit card company, at your financial services firm, with your insurance company. If these players are using 2FA right now, it’s probably SMS, or an antiquated token scheme such as Bank of America’s, which doesn’t seem to have aged well.
So what are you left to do? If you wait for perfect, you’ll be waiting forever. Some 2FA is better – WITHOUT DEBATE – than not having it at all. My guidance is that absent a physical token, SMS to a phone number that delivers to a physical handset is reasonably secure. It’s not the best. We know why. But for your personal affairs, it should get you by.
That said, if you are looking at 2FA from any kind of enterprise perspective, it’s not even a question: SMS is not in the equation. You need U2F, or PKI token/smartcard, RSA SecureID – something in this realm of solutions. And you need someone to run that program.