The Council brings back the Assessor Session to this year’s Community Meeting and it takes only one question to get passions flowing. The question was to get a clarification of a comment made by Ralph Poore, Director, Emerging Standards at the Council, about multi-factor authentication (MFA).
First a little background to get everyone up to speed remembering that the US National Institute of Standards and Technology (NIST) SP800-63B standard in question is still a draft and has not been finalized. However, everyone expects this standard to be adopted largely unchanged and with only minor wording revisions that would not affect the overall recommendations in the standard.
What NIST stated about SMS was in section 5.1.3.2. Out-of-Band Verifiers of SP800-63B which states:
“Due to the risk that SMS messages or voice calls may be intercepted or redirected, implementers of new systems SHOULD carefully consider alternative authenticators. If the out-of-band verification is to be made using the public switched telephone network (PSTN), the verifier SHALL verify that the pre-registered telephone number being used is not associated with a VoIP (or other software-based) service. It then sends the SMS or voice message to the pre-registered telephone number. Changing the pre-registered telephone number SHALL NOT be possible without two-factor authentication at the time of the change. OOB using the PSTN (SMS or voice) is deprecated, and may no longer be allowed in future releases of this guidance.”
NIST is only calling out that new implementations of SMS or voice MFA should consider the security implications of using SMS or voice for MFA. But NIST has not totally invalidated any existing SMS and voice MFA solutions. They just do not want any new implementations unless there is no choice because the process is already underway. So while SMS or voice MFA can still be used in existing implementations, NIST is saying that future implementation of SMS and voice MFA are out of the question, have basically killed those solutions.
With that as our background, in a Community Meeting session, Ralph Poore stated that MFA to devices such as smartphones or back to the same device or browser (i.e., “soft” solutions) were not considered secure because of statements in the NIST Draft of SP800-63B. I was attending a different session when Ralph made his statements, but I can tell you that my cell phone started buzzing with text messages from various people asking if we had all heard what we had heard. But since there was no Q&A at that session, there was no way to clarify Ralph’s statements.
As a result, this issue was brought up in the Assessor Session to clarify those MFA comments. Ralph stood and reiterated his remarks and that sent the room into an absolute tizzy. It was pointed out that NIST had only invalidated SMS and voice for future two-factor authentication, not all soft token solutions such as RSA’s or Symantec’s application solutions. However, Ralph continued to repeat his remarks saying that they had invalidated all soft solutions. That brought the house down and people were loudly explaining that his comments were invalidating decades of recommendations for OOB MFA solutions. Eventually the room calmed down and the Council agreed to review their position on such “soft” MFA solutions.
So that is where we are with this subject. Time will tell if the Council revises its statements on MFA and comes into line with what NIST is saying on the subject.
PCI Guru 