The latest draft Digital Authentication Guideline (SP 800-63-3) released Tuesday by the National Institute of Standards and Technology (NIST) greatly devalues the popular SMS/text messaging-based form of two-factor authentication and places limits on biometric authentication, the document said.
NIST calls out of band (OOB) authenticators using SMS as depreciated and “may no longer be allowed in future releases of this guidance.” The agency defines an OOB authenticator as a uniquely addressable physical device that can receive a verifier-selected secret for one-time use. The device should be possessed and controlled by the claimant and supports private communication over a secondary channel, separate from the primary authentication method.
The SP-800-63 document set provides technical and procedural guidelines to agencies implementing electronic authentication to choose and implement effective authentication processes based on risk, NIST said. The recommendation includes remote authentication of users (employees, contractors, or private individuals) interacting with government information technology (IT) systems over open networks. The publication, once finalized, will supersede NIST SP 800-63-1 from April 2006 and SP 800-63-2 from August 2013.
OOB using the SMS capability of a cellular phone has been a popular form of two-factor authentication wherein a claimant attempts to login to a website with a password, the website sends a text message containing a temporary code to the claimant’s phone, and the claimant then enter that message’s code into the website as a second factor of authentication. This method is an option currently used in private sector companies like LinkedIn [LNKD], Google [GOOG], Apple [AAPL], Twitter [TWTR], and Facebook [FB].
NIST notes OOBs have two key requirements: that the device be uniquely addressable and that communication over the secondary channel be private. However, the new guideline draft highlights that some voice-over-IP (VOIP) telephone services can deliver text messages and voice calls without the need for possession of physical devices.
“Due to the risk that SMS messages may be intercepted or redirected, implementers of new systems SHOULD carefully consider alternative authenticators,” NIST said in the report.
“If the out of band verification is to be made using a SMS message on a public mobile telephone network, the verifier SHALL verify that the pre-registered telephone number being used is actually associated with a mobile network and not with a VoIP (or other software-based) service,” it added.
Another SMS-based concern is that some cellular/smartphone devices display an authentication secret on a device locked by the owner, decreasing the security of the process. However, under the new draft guidelines authenticators may indicate the receipt of an authentication secret on the locked device if the secret itself is not available without unlocking the device.
The agency also directs that changes of a pre-registered telephone number shall not be possible without two-factor authentication at the time of change.
NIST said in contrast to SMS-based two-factor authentication with the risk it entails, mechanisms like smartphone applications using secure communications protocols are preferred for OOB authentication in addition to other methods like single and multi-factor one-time password (OTP) devices, and single and multi-factor cryptographic software.
The guideline draft also supports merely limited use of biometrics of authentication. NIST explains this is because biometric false match and non-match rates do not provide confidence in the authentication of the subscriber; biometric matching is probabilistic rather than deterministic; biometric template protection schemes that provide a method to revoke credentials are limited; and biometric characteristics do not constitute secrets because they can be obtained through pictures, online sources, lifted from objects one touches for fingerprints, or taken from high-resolution images for iris patterns.
NIST said that although presentation attack detection (PAD) technologies like liveness detection can mitigate the risks of false use of biometric information, “additional trust in the sensor is required to ensure that PAD is operating properly in accordance with the needs of the CSP[ credential service provider] subscriber.”
Given these biometric authentication issues NIST endorses their use with certain restrictions including the usage of another authentication factor, minimum error and matching rates, having a sensor that demonstrates it is certified, system testing must demonstrate a minimum 90 percent resistance to presentation attacks, and the system shall allow no more than 10 consecutive failed authentication attempts.
Other major changes made in the draft include a revamping of identity proofing, new password guidance, removal of insecure authenticators like tokens, a privacy requirements, and usability considerations.
This new NIST draft was released as a public preview wherein it is considered a stable draft illustrating what the agency has learned through public comment periods, public workshops, and industry collaborations. However, it is “neither complete nor perfect-and it’s not intended to be,” NIST said. This is the point where the agency is articulating the direction it is going but seeks comments from stakeholders on what is right, wrong, and entirely missed in the guidelines.
Although SP 800-63 is primarily intended for only federal agencies, NIST knows it has material impact of private sector partners.
“So we want to put fingers to keyboard with the community earlier and more often in hopes this update to SP 800-63 not only reflects the current state of the market, but has a level of future-proofing for where DIGITAL authentication to government services is going,” the agency said in its announcement.