The FLEX Connexion Blog

NIST Frowns on the Use of Text Messaging for Mobile Authentication

Written by Preston Packer | Aug 23, 2016

The National institute of Standards and Technology (NIST) announced in July a significant change to secure authentication recommendations that will impact core credit union mobile banking.  With draft 800-63B, NIST issued a special publication named ‘Digital Authentication Guideline’ for ‘Authentication and Lifecycle Management’ in which they deprecated their recommendation of using SMS as a delivery mechanism for one-time-passwords for two-factor authentication.

For experts in the security field, this announcement comes as little surprise. Andy Greenberg, senior security writer for WIRED, published an article in late June, just a few weeks before the NIST draft, entitled So Hey You Should Stop Using Texts for Two-Factor Authentication. He points out that the first half of 2016 demonstrated that SMS text messages are often the weakest link in two-step logins.  Attacks on political activists in Iran, Russia, and even here in the US have shown that determined hackers can hijack the SMS messages meant to keep you safe. Earlier this summer, Black Lives Matter activist DeRay McKesson had his Twitter account hacked, and the hackers began tweeting pro-Donald Trump messages from McKesson's account. Twitter is notorious for having only SMS two-factor authentication in place. The hackers, as McKesson tells it, had called up Verizon, impersonated him, and convinced the company to redirect his text messages to a different SIM card, intercepting his one-time login codes. Greenberg concludes that SMS authentication is dependent on your mobile phone as a means of authentication in a way that can be socially engineered out of your control.

The problem is multiplied in that many banking institutions use SMS text for two-factor authentication, including some of the banking giants (JP Morgan Chase and Wells Fargo to name a few). It is a relatively easy form of mobile authentication to implement, and can be a convenient option for your credit union members. However, it is generally agreed upon and evident in the ever increasing number of incidents of stolen credentials, that not enough is being done to secure mobile authentication as a whole. This draft by NIST, as detailed by bankinnovation.net furthers these thoughts and declares that two-factor authentication is insecure because "a user may not be in possession of his device. Instead, NIST recommends biometric methods of authentication, such as Apple’s Touch ID — "something you are rather than something you have."

Could This Solidify the Rise of Biometrics?

In 2015, we published Why Are People Giving Their Bank Accounts the Finger?, that discussed the debate over the safety of traditional passwords versus biometric scanning. From a practicality standpoint of the end user, passwords and usernames on mobile phones are an intelligant way to log into your bank account, whereas a swipe of a finger is of the utmost ease.  From a security standpoint, the debate rages on over what security matters most: data privacy advocates have been quick to warn that your biometric identity would be in someone else’s hands, whereas security experts, such as those at NIST, side with the benefits to account security.

Fingerprint readers used for Apple Pay and other mobile payment services have now made your members more comfortable and ready to accept biometric technology for paying bills and banking, and these latest recommendations have perhaps solidified the need for credit unions to have a plan in place to adopt the technology.