NIST blog clarifies SMS deprecation in wake of media tailspin

Agency goal is two-factor authentication for all levels of security assurance, but SMS is not on preferred factor list

Whoa! Hold on there two-factor authentication killers!

The National Institute of Standards and Technology Friday published a blog explaining its guidance on the deprecation of SMS as a viable second factor for strong authentication.

"We are saying 'deprecated,' we are not saying 'not allowed,' " said Paul Grassi, senior standards and technology advisor at NIST.

Tuesday, early media reports were accurate but later in the week the story of NIST's declaration of SMS deprecation, which was first announced in May, began to run off the rails. One report included the message that NIST did not want people to turn on two-factor authentication at all.

"We don't want you to use SMS as a second factor, but we absolutely want two-factor authentication, in fact, we recommend it for all levels of assurance," said Grassi, who is one half of a super-hero like team pushing modern identity into US government policies and guidelines. His cohort is Mike Garcia, the deputy director of NIST's National Strategy for Trusted Identities in Cyberspace (NSTIC).

The draft NIST Special Publication 800-63-3: Digital Authentication Guideline calls for the deprecation of SMS based on two separate scenarios.

First, not all SMS is a mobile phone-based communication and NIST is specifically calling out SMS over VoIP, where the authentication code could end up in something like Skype or Google Voice to be used more like a second password (something you know) rather than a second-factor (something you have).

"So we felt we had to propose ruling VoIP out," said Grassi.

In the second scenario, NIST determined based on extensive independent research that redirecting and intercepting SMS messages has become too easy and can be operated at scale. This means an SMS second factor "doesn't have the strength of device authentication mechanisms inherent in the other authenticators allowable in NIST draft SP 800-63-3," Grassi said in his blog.

Therefore, Grassi said, SMS was being deprecated as an out-of-band authentication method. NIST describes an out-of-band authenticator "as a physical device that is uniquely addressable and can receive a verifier-selected secret for one-time use." Today, for most users that device is a phone.

Grassi explained the deprecation message is "a strong signal to agencies to look for alternative plans. Implement at your own risk because of the vulnerabilities we told you about and at any given time we can expressively disallow it. These are the guidelines."

There are other viable out-of-band authenticators still on NIST's 800-63-3 recommended list, including those that support FIDO Alliance strong authentication protocols, and Google Prompt.

The 800-63-3 guidelines are in a public discussion phase expected to end Sept. 17, and it will likely be early 2018 before they complete the government's comment and approval process.