• Trend Micro
  • About TrendLabs Security Intelligence Blog
Search:
  • Home
  • Categories
    • Ransomware
    • Vulnerabilities
    • Exploits
    • Targeted Attacks
    • Deep Web
    • Mobile
    • Internet of Things
    • Malware
    • Bad Sites
    • Spam
    • Botnets
    • Social
    • Open source
Home   »   Social   »   Two-Factor Authentication and SMS Messages: Don’t Let The Perfect Be The Enemy Of The Good

Two-Factor Authentication and SMS Messages: Don’t Let The Perfect Be The Enemy Of The Good

  • Posted on:August 2, 2016 at 1:05 am
  • Posted in:Social
  • Author:
    Jonathan Leopando (Technical Communications)
0

Last week, a lot of tech media sites were breathlessly reporting how the National Institute of Science and Technology (NIST) in the United States was saying that two-factor authentication (2FA) via SMS messages would be “deprecated” in future standards. Some took this to mean that this technique was insecure, and that users should shy away from this method.

Let’s step back and see what the NIST really said:

If the out of band verification is to be made using a SMS message on a public mobile telephone network, the verifier SHALL verify that the pre-registered telephone number being used is actually associated with a mobile network and not with a VoIP (or other software-based) service. It then sends the SMS message to the pre-registered telephone number. Changing the pre-registered telephone number SHALL NOT be possible without two-factor authentication at the time of the change. OOB using SMS is deprecated, and will no longer be allowed in future releases of this guidance.

The NIST here is talking about a specific concern: how text messages can be intercepted and not sent to a cellular phone if the number is tied to a VoIP (or similar) service. Of course, that’s not the only security worry with SMS messages: they can be stolen by Android malware. Social engineering can also target either the cellular provider (to deactivate the original SIM, and provide a new one to attackers) or the websites (to deactivate 2FA).

That said, however… some 2FA authentication is better than no 2FA at all. We still see a lot of systems in vital industries–ICS and health care, for example–where 2FA ought to be used, but isn’t. In these cases, some form of 2FA is still an improvement.

In the security industry there is a tendency to let the perfect be the enemy of the good. This is a good example. 2FA via text messages, for all its flaws, is still an improvement over an ordinary username-and-password system. In addition, the barriers to entry–cost, ease of use, and hardware requirements–are lower than with more secure 2FA systems.

What do we advise users to do? For end users, if any site you use–your bank, your social media site, any website you use–if it offers 2FA, use it. Urge sites you use that don’t have it to adopt it.

For system administrators considering whether to adopt 2FA for their own systems, our advice is: don’t rule out SMS as a method just because of news reports that say it’s “insecure”. For systems that need the maximum protection, maybe it’s not appropriate. However, for systems where ease of use, cost, and user acceptance matter–it’s still a viable solution.

Of course, more secure systems like hardware tokens or app authenticators should be used as well, but don’t automatically rule out text messages. After all, consider the alternative: user names and passwords. As we’ve learned in the past few weeks, those have far more severe problems.

With additional insights from Martin Roesler and Robert McArdle

Learn how to protect Enterprises, Small Businesses, and Home Users from ransomware:
ENTERPRISE »
SMALL BUSINESS»
HOME»
Tags: 2FANISTtwo-factor authentication

Security Predictions for 2020

  • Cybersecurity in 2020 will be viewed through many lenses — from differing attacker motivations and cybercriminal arsenal to technological developments and global threat intelligence — only so defenders can keep up with the broad range of threats.
    Read our security predictions for 2020.

Business Process Compromise

  • Attackers are starting to invest in long-term operations that target specific processes enterprises rely on. They scout for vulnerable practices, susceptible systems and operational loopholes that they can leverage or abuse. To learn more, read our Security 101: Business Process Compromise.

Recent Posts

  • Our New Blog
  • How Unsecure gRPC Implementations Can Compromise APIs, Applications
  • XCSSET Mac Malware: Infects Xcode Projects, Performs UXSS Attack on Safari, Other Browsers, Leverages Zero-day Exploits
  • August Patch Tuesday Fixes Critical IE, Important Windows Vulnerabilities Exploited in the Wild
  • Water Nue Phishing Campaign Targets C-Suite’s Office 365 Accounts

Popular Posts

Sorry. No data so far.

Stay Updated

  • Home and Home Office
  • |
  • For Business
  • |
  • Security Intelligence
  • |
  • About Trend Micro
  • Asia Pacific Region (APAC): Australia / New Zealand, 中国, 日本, 대한민국, 台灣
  • Latin America Region (LAR): Brasil, México
  • North America Region (NABU): United States, Canada
  • Europe, Middle East, & Africa Region (EMEA): France, Deutschland / Österreich / Schweiz, Italia, Россия, España, United Kingdom / Ireland
  • Privacy Statement
  • Legal Policies
  • Copyright © Trend Micro Incorporated. All rights reserved.