industry news Sunday 16 Oct 2016 @ 13:10 SMS authentication on the way out
To log in using one-time passwords via SMS has been a popular method for businesses, governments and banks that want to increase security instead of logging in with fixed passwords. While this method is generally considered more secure than fixed passwords, and good enough security for many applications, new threats have exposed serious vulnerabilities in the messaging infrastructure. Now international regulations are on their way, which may disqualify one-time passwords (OTP) sent by text messages as a method for securing digital identities.
2FA is a method for making the login to online services safer by requiring the user to know more than one factor, such as a password, to login. Examples of additional factors may be a hardware token, a one-time password via a mobile phone or an SMS with a one-time password (OTP). But the new recommendations, from both the US National Institute of Standards and Technology (NIST) and the European Banking Authority, show security shortcomings of solutions based on SMS login and make them unlikely to be used to the same extent in the future.
NIST, that develops global standards and guidelines for IT, is expected to recommend that one-time passwords via SMS messages be disqualified as a reliable method of identity verification. The recommendation refers to American organisations, but will eventually affect all international companies and organisations which have collaborations with US companies and government agencies.
In Europe, there are new guidelines that apply to most of the European banks since August 2015. According to the guidelines, designed by the European Banking Authority (EBA), OTPs via SMS messages, email, or mobile ID apps storing PINs on the device, should be avoided. Instead mobile identity solutions, which avoid storing or validating a PIN code on the device, and which can ensure data confidentiality by using encryption, are recommended. Other recommended solutions are the traditional tokens and card readers.
In Europe, several major banks, businesses and governments still use one-time passwords via SMS for logging in.
SMS is considered a weak verification that does not meet the high security standards required for digital authentication, states both NIST and the EBA. Another shortcoming in a text-based login system is that there is an operator cost of SMS messaging, which can be significant with large user groups. Solutions based on separate hardware tokens or on card readers are secure, but come at a high per-user cost along with the hassle for users to bring an extra device.
Given how crucial the digital identity has become in our digital lives, it comes as no surprise that the security requirements have increased. The mobile phone will play a central role and will most likely be the device we use for identifying ourselves in the digital space. A mobile identity app can be as simple for the user as an SMS message and considerably more secure, but without the onerous cost for operator fees.
For banks, businesses and governments, a secure and easy to use digital identity is at the core of their digital transformation. With international regulations putting SMS authentication out of play, institutions like NIST and EBA paves the way for the next generation of digital identities, leveraging the mobile phone. So while SMS messages containing passwords are on the way out, the mobile is most certainly here to stay.