NIST says push authentication is in, out-of-band SMS is out

Last updated: 10 August 2016

NIST or the US National InstituteNIST pushes push authentication of Standards and Technology is updating its guidelines for digital online authentication, making what appear to be considerable updates to the 2013 edition (800-63-2) in its latest public draft, published on May 8th, titled “Special Publication 800-63-3 Authentication and Lifecycle Management.”

NIST’s guidelines affect not only government agencies, but rather also trickle down to inform the way the private sector handles identity and access management. That’s why the latest overhaul of guidelines on effective strong authentication, identity proofing and identity federation is good news for everyone who wants to keep their online identity, data and accounts safe.


OOB SMS Authentication Out

As for SMS-based OOB Authentication, NIST writes in its public draft:
“Due to the risk that SMS messages may be intercepted or redirected, implementers of new systems SHOULD carefully consider alternative authenticators. If the out of band verification is to be made using a SMS message on a public mobile telephone network, the verifier SHALL verify that the pre-registered telephone number being used is actually associated with a mobile network and not with a VoIP (or other software-based) service. It then sends the SMS message to the pre-registered telephone number. Changing the pre-registered telephone number SHALL NOT be possible without two-factor authentication at the time of the change. OOB using SMS is deprecated, and may no longer be allowed in future releases of this guidance.”

To clarify, many a fraudulent online banking transaction owe their success to the ease with which mobile phone calls and SMS text messages can be forwarded to a thief’s account. For the majority of the population, it’s all too easy to have your carrier account password compromised through phishing or generic low-grade malware. Once an account is accessed with a stolen password, the road to changing account settings to forward all incoming messages and calls to a fraudster’s handset is a breeze. That’s 1-0 for the thieves.

To counter this type of fraud and related scenarios, the draft NIST guidelines would now require using 2FA to change those very settings, as well as require that registered phone numbers be issued by a mobile network operator, rather than a VoIP service that provides virtual phone numbers. The latter requirement likely has to do with the  minimal to nonexistent identity proofing involved in issuing such numbers, and the fact that ‘virtually’ anyone (pun intended) can have a virtual phone number with any country code. (Minimal identity proofing, in turn, means little chance of finding the culprit behind an SMS-forwarding scam.)


OOB Push Authentication In

Enter OOB push authentication using push notifications, which is getting a thumbs up from NIST. To quote, “If out of band verification is to be made using a secure application (e.g., on a smart phone), the verifier MAY send a push notification to that device.” Since this method involves an app that is installed on a user’s device, the above fraud scenario wouldn’t apply. How does it work? When accessing a protected resource, a push notification is sent to the user’s mobile device. The user opens the OOB app, taps to approve the login request, and is then logged in to the resource. Interestingly, Gartner predicts that, “By 2019, 60% of phone-as-a-token deployments will use out-of-band push modes for the majority of users, up from less than 10% today.”

NIST’s new guidelines have made the headlines as a result of the wide adoption of SMS-based OOB by leading social media and retail sites. The method’s pervasiveness largely stems from its ease of use, and the fact that websites don’t have to distribute any hardware or software, and can support any ‘dumb phone.’  With the evolving nature of digital fraud, it only stands to reason that NIST should evolve their guidelines to keep up with today’s mal-doers.

At the end of the day, being able to use Push authentication and other strong authentication methods is all about choice, flexibility – and making sure that the assurance level used is appropriate to the sensitivity of the assets being accessed. So although NIST has given a “thumbs down” to SMS authentication, organizations still have at their disposal a wide range of authentication methods that provide excellent levels of security combined with an easy and unobtrusive user experience.

For more information on push authentication on mobile devices, check out:

Leave a Reply

Your email address will not be published. Required fields are marked *