NIST Shouted, Who Listened? Analyzing User Response to NIST’s Guidance on SMS 2FA Security
In late July, the U.S. National Institute of Standards and Technology (NIST) declared that SMS-based authentication methods will no longer be considered secure. NIST is the agency that establishes technical standards and policies for the US government, and their standards are often viewed in the private sector as best practices.
The relevant paragraph from the latest NIST DAG (Digital Authentication Guideline) draft reads:
“... [Out-of-Band authentication] using the PSTN (SMS or voice) is deprecated, and may no longer be allowed in future releases of this guidance.”
Why is SMS Considered Less Secure Than Other Two-Factor Authentication Options?
Authentication relies on one or a combination of three basic factors:
- Something you know (passwords, passphrases)
- Something you have (a phone, hardware token)
- Something you are (biometrics).
SMS, while falling under the category “something you have,” is not a true verifier as it replaces something you have with something you receive. The authentication verifier has no way to validate that the request initiator possesses the phone to which the SMS was sent, thus undermining its usage as an authentication factor.
With SMS, it is becoming increasingly difficult to verify whether the receiving number is associated with a mobile network or a VoIP network. Sending the codes over VoIP makes them susceptible to man-in-the-middle attacks, which has led to NIST phasing out the support for SMS as a second factor.
Additionally, on many devices, the default configuration allows an SMS to be visible on the lock screen. This can lead to accidental exposure of the passcode through shoulder surfing or if someone has physical access to a device that is locked but still active on the cellular network.
Duo’s Data on SMS Usage as a Second Factor
With the change in NIST’s guidelines and the significant media coverage of their report, we were interested to see if this resulted in any major changes in behavior across our user base.
Prior to the declaration, we were seeing roughly 6-8% of two factor traffic in use with our service via the SMS method. After the announcement was made, we’ve seen a similar percentage, although it has trended toward the lower side of 6%.
Fig. 1. Percentage of unique users using different factors on a weekly basis (users may use more than one factor)
Our data shows the percentage of unique users using SMS has been in a gentle decline since the start of the year. There is a notable lack of significant change to the rate of decline after the release of the revised NIST guidelines.
When looked at in terms of authentication requests sent, SMS has the second lowest volume, only ahead of U2F, but this still accounts for hundreds of thousands of authentication requests a day showing no significant change after NIST updated its guidance.
Fig. 2. Percentage of authentication requests per factor on a weekly basis
It has been roughly two months since SMS was formally declared undesirable and not recommended by NIST, so we don’t have enough data to draw a definitive conclusion on the trend, but early results suggest there has not been a marked decline in the volume of SMS-based two-factor authentication as a result of the latest NIST guidance.
The latest NIST guidance also shows that not all second factor authentication method provide the same benefits when it comes to security, usability and deployment. Two mechanisms that offer significant gains in security and usability are U2F and push-based mechanisms as implemented by Duo Push.
While a fuller discussion of the various aspects that should be taken into consideration when choosing the second factor authentication mechanism is beyond the scope of this post, in general, push-based second factor mechanisms are considered to be more resilient to phishing; less likely to be subject to attacks arising from targeted impersonation of the device receiving the push notification (as long as the screen is locked); and are also more resilient to throttled/unthrottled guessing of underlying keys and/or HOTP credentials. Alongside these security benefits, Duo Push is easy to use, learn and requires no further memory commitments from the user. For readers interested in learning more, some useful resources can be found here and here.
While it is disappointing that the data shows no marked decline in the use of SMS since NIST’s guidance update, there is also a positive aspect illustrated in the continuing increased adoption of Duo Push as the second factor (Fig. 1). Although the adoption of U2F has remained flat and is the least used factor of all of those available to Duo users, we hope to see this increase as more browsers adopt the FIDO standards and more services provide U2F as a second factor option to their users. The increased use of Duo Push as the second factor is a good sign as a greater population of users are now able to use of two-factor authentication in a more secure and usable way.
The draft of the Digital Authentication Guideline recently concluded its public comment period and is due to release a new draft by the end of this year. The recommendations are pretty clear - if your organization is introducing two-factor (or multi-factor) authentication, consider implementing Duo Push and/or U2F, which are both easier to use and deploy, as well as considered stronger authentication factors.
As the specification is finalized, we hope to see a continuing decrease in the number of users using SMS as their second factor and, more importantly, a greater number of organizations across all industries, phasing out the support of SMS passcodes as a second factor. While using SMS for two-factor authentication is clearly better than no two factor at all, it’s important to recognize the tradeoffs and consider more modern authentication methods that are both stronger and easier to use.