The recent NIST draft report has, we feel quite rightly, kicked off an interesting debate around the quality of SMS authentication. This is a discussion that has many nuances, so we wanted to help by trying to clarify a few things here.
The initial idea for SMS authentication was sound. However, traditional SMS authentication is increasingly outmoded. There are numerous technical reasons behind this, but the overriding fact is that it has been around for a long time. Like any security protocol, traditional SMS authentication put itself on a pedestal which only served to make it a target. In short, all kinds of curious minds and nefarious individuals started trying to break it.
A number of years later, there are a variety of ways around traditional SMS 2FA. Some are technically complicated and others use more simple methods and are only a Google search away.
The main problem is the traditional approach only relies on confirmation of two separate data points, a human provided username and the possession of the content of an SMS.
Authentication in our modern data-driven world needs to be so much more than this. To use an analogy, hearing a knock at the company door would you rather let the person in after just seeing their eyes and nose, guessing that it looks like your employee, or would you rather see the full face, ask them who they are and where they have been?
This is what next-generation authentication does. It asks infinitely more questions of the login attempt, so when someone says they are Alex from Accounts, you know it’s them. It automatically cross-references session IDs, geo-location data, time of day and a variety of other markers to build a picture of each specific individual in your company. Once it knows it is you, and only then, will it issue a passcode in the form of an SMS, email, voice call or whole variety of other ways.
After all, in the brave new world of authentication, the SMS itself is just a delivery channel. The clever stuff is done by analyzing the data and is hidden behind the scenes.
Like any part of the security sector, we continually invest a significant amount of R&D time ensuring that when we say an authentication technique is secure, it is. We operate in a world of data analysis and machine learning, specifically to stay ahead of the bad guys. It is for exactly this reason we are trusted by police departments, intelligence agencies, banks, federal banks and other large global companies.
It’ll be interesting to see how the final guidelines affect the authentication market. It is important to understand there are huge differences in sophistication in the back ends of authentication systems.
At CensorNet we provide multi-factor authentication and support a variety of methods, but if you do it right, there should be no reason why you can’t leverage the most widely spread communication channel – the mobile phone network and use SMS as a delivery channel. The analysis just needs to happen in the background to ensure the person logging in is authentic.
My thought is that the report will accelerate a wider shift towards more advanced solutions, such as ours. This is obviously something we have been saying for some time, so it is good to see a wider debate taking place on the topic.