NIST: SMS can not be used as an authentication tool.

The American Institute of Standards and Technology (NIST) spoke in favor of not using SMS as one of the elements of two-factor authentication. In the latest draft of the Digtial Authentication Guideline standard, representatives of the Ministry indicate that "[out-of-band authentication] using SMS will be prohibited by the standard and will not be allowed in its subsequent editions."

The document is not mandatory, but many government agencies and US companies are building their infrastructure in accordance with the NIST standards, so this decision can seriously change the approaches to ensuring information security in the near future.
')
Under out-of-band authentication here means the use of a second device to identify the user’s identity.

Why SMS can not be used for authentication

The NIST document does not directly indicate the reasons why SMS should not be used as elements of a two-factor authentication system. Nevertheless, it is obvious that the representatives of the Institute took into account in the draft numerous reports on hacking and interception of SMS.

In particular, the story of hacking Telegram accounts of Russian opposition members received wide publicity. The fact that the authorization system via SMS in the messenger may have been compromised was announced by Pavel Durov. According to the creator of Telegram, the attack could not be carried out without the intervention of special services. However, the experts of Positive Technologies conducted their own research , as a result of which they managed to intercept Telegram and WhatsApp authentication codes using SS7 vulnerabilities.

As a result, full access to accounts in the messenger was obtained - the attacker who carried out such an attack could not only intercept data, but also conduct correspondence on behalf of the victim.



In addition, we previously published the results of a study on the security of SS7 networks. The final security level of the SS7 networks of all the studied mobile operators was extremely low. In 2015, attacks related to data leakage of subscribers (77% of successful attempts), network disruptions (80%) and fraudulent activities (67%) could have been implemented against telecom operators and their SS7 networks.

The popularity of this topic is easy to check. Relevant queries in search engines give links to specialized resources in the closed Internet:



In a closed network segment, you can find a lot of services for hacking SS7:



Orders for such hacks are also placed quite openly:



In addition, not only SS7 technology networks, but also radio interface encryption algorithms are vulnerable to vulnerabilities. Attacks on the SS7 network can be carried out from anywhere in the world, and the possibility of an attacker is not limited to hacking instant messengers. And now all these attacks are becoming available not only to the special services, but also to attackers who are in no way affiliated with the state.

What will happen now

Best practices published by NIST are not legally binding standards. However, many US government departments and agencies follow them, as do many companies representing the IT industry. Therefore, many of them, after such an unequivocal verdict of the Institute of Standards and Technology, will begin to look closely at alternative authentication methods, in addition to SMS.

Among such alternatives, for example, applications that deliver users two-factor codes that are updated every 30 seconds - among them such as Google Authenticator, Authy, Duo. Large corporations are developing tools that work on the basis of similar principles (RSA SecureID).

However, a complete and widespread rejection of authentication systems based on the use of SMS will not occur in the near future. However, the number of services that support two-factor authentication not only via SMS, but also within their applications will gradually grow. And such systems will show the best results in ensuring the safety of users.