The Council brings back the Assessor Session to this year’s Community Meeting and it takes only one question to get passions flowing. The question was to get a clarification of a comment made by Ralph Poore, Director, Emerging Standards at the Council, about multi-factor authentication (MFA).
First a little background to get everyone up to speed remembering that the US National Institute of Standards and Technology (NIST) SP800-63B standard in question is still a draft and has not been finalized. However, everyone expects this standard to be adopted largely unchanged and with only minor wording revisions that would not affect the overall recommendations in the standard.
What NIST stated about SMS was in section 5.1.3.2. Out-of-Band Verifiers of SP800-63B which states:
“Due to the risk that SMS messages or voice calls may be intercepted or redirected, implementers of new systems SHOULD carefully consider alternative authenticators. If the out-of-band verification is to be made using the public switched telephone network (PSTN), the verifier SHALL verify that the pre-registered telephone number being used is not associated with a VoIP (or other software-based) service. It then sends the SMS or voice message to the pre-registered telephone number. Changing the pre-registered telephone number SHALL NOT be possible without two-factor authentication at the time of the change. OOB using the PSTN (SMS or voice) is deprecated, and may no longer be allowed in future releases of this guidance.”
NIST is only calling out that new implementations of SMS or voice MFA should consider the security implications of using SMS or voice for MFA. But NIST has not totally invalidated any existing SMS and voice MFA solutions. They just do not want any new implementations unless there is no choice because the process is already underway. So while SMS or voice MFA can still be used in existing implementations, NIST is saying that future implementation of SMS and voice MFA are out of the question, have basically killed those solutions.
With that as our background, in a Community Meeting session, Ralph Poore stated that MFA to devices such as smartphones or back to the same device or browser (i.e., “soft” solutions) were not considered secure because of statements in the NIST Draft of SP800-63B. I was attending a different session when Ralph made his statements, but I can tell you that my cell phone started buzzing with text messages from various people asking if we had all heard what we had heard. But since there was no Q&A at that session, there was no way to clarify Ralph’s statements.
As a result, this issue was brought up in the Assessor Session to clarify those MFA comments. Ralph stood and reiterated his remarks and that sent the room into an absolute tizzy. It was pointed out that NIST had only invalidated SMS and voice for future two-factor authentication, not all soft token solutions such as RSA’s or Symantec’s application solutions. However, Ralph continued to repeat his remarks saying that they had invalidated all soft solutions. That brought the house down and people were loudly explaining that his comments were invalidating decades of recommendations for OOB MFA solutions. Eventually the room calmed down and the Council agreed to review their position on such “soft” MFA solutions.
So that is where we are with this subject. Time will tell if the Council revises its statements on MFA and comes into line with what NIST is saying on the subject.
PCI Guru 
Recently, the Council released clarification of the MFA question. It has come up with the concept of multi-step authentication, and explained this concept in light of the issues raised in your excellent blog post. Multi-step authentication may also qualify as multi-factor, with constraints, for the moment but that position can change.
I think the risks of using SMS for MFA are higher than most would realise. The problem is not with calls being intercepted or redirected by a black van outside your office but rather how easy it is to clone a SIM card.
There have been a string of YouTubers getting “hacked” over the last year. Your first (like mine) reaction is probably to believe they’re a bunch of dumb kids that got phished – how else could someone bypass Google’s MFA? Well turns out all you need to do is phone T-Mobile, Verizon, etc and say you lost your SIM and they will let you go pick up a new one from the nearest store.
This attack does require knowing quite a bit about your target: what network they’re on, their address, some other private info, etc. That’s why it works so well against internet celebrities but if your company is being targeted it’s not exactly hard to pry this info out of staff.
While your approach works easily SMS and voice, Google Authenticator would require knowing someone’s Google credentials (possibly easy) and alternate telephone number (the easy part). The RSA, Symantec and similar soft solutions require registration of the device running the software with the organization conducting MFA. So an attacker wanting to compromise those solutions would have to have a lot of information to get an organization’s Help Desk to register a new soft fob.
The problem with Google Authenticator is that you can’t transfer all your accounts from one device to another so people who get a new phone every year get burnt once and switch to using SMS.
The centralised solutions are better but only really businesses use them.
I understand the shortcomings with Google Authenticator, but it still is more secure than SMS. I think we will see more banks rolling out MFA to their customers and that will likely drive acceptance and standardization of soft MFA solutions.
Banks in a lot of the world actually use hardware MFA. Chip and pin (EMV) cards contain the seed so the Gemalto readers are all the same and are given away freely.
AmEx and a number of banks in the US tried chip cards and readers right after the turn of the century. The problem was that very few online merchants were willing to work with them and those solutions all died off.
To add to the previous response: it’s more than just a seed. If you get the PIN wrong on the reader three times the card locks itself and you have to visit an ATM or bank (presumably to get caught on camera) to unlock the card. It’s been this way in the UK for 5-10 years and is an integral part of chip and pin.
Only because the UK banks implemented it that way. The US market does not have bank operated infrastructure as the UK or EU when it comes to transaction processing. As a result, it would be very difficult, if not impossible, to implement such a scheme without creating a world of hurt for both the processors, banks and their customers.
“So while SMS or voice MFA can still be used in existing implementations, NIST is saying that future implementation of SMS and voice MFA are out of the question, have basically killed those solutions.”
Even this seems to be an overly strict interpretation in light of the follow-up guidance NIST has provided. They have not prohibited the use of SMS, but are cautioning that the risks needs to be accounted for and that it may be prohibited in future guidance.
“Deprecation is standards-speak for “you can use this puppy for now, but it’s on its way out.” It’s a way of balancing the practicalities of today’s implementations with the needs of the future. While SMS is a popular and convenient option today, the security concerns of SMS as a second factor should be part of agencies’ decisions.”
http://nstic.blogs.govdelivery.com/2016/07/29/questionsand-buzz-surrounding-draft-nist-special-publication-800-63-3/
The NIST document also is a guideline (i.e., recommendation), not a standard as you call it above.
NIST did not say they MAY deprecate SMS and voice in the future, they said, “OOB using the PSTN (SMS or voice) is deprecated, and may no longer be allowed in future releases of this guidance.”
The operative phrase in that sentence was “IS DEPRECATED”. That means that in future releases of SP800-63A NIST WILL deprecate SMS and voice. They are officially putting everyone on notice that this is your last chance. Once a new release of SP800-63A is issued, SMS and voice for MFA are no longer allowed.