15/08/16 London, UK
News that the National Institute of Standards and Technology (NIST) is a step closer to banning SMS-based two-factor authentication has been welcomed by Aspect Software, with the hope that it will drive the UK banking industry to adopt stronger and more innovative methods of establishing confidence in user identities.
The draft NIST Special Publication 800-63-3: Digital Authentication Guideline has called for the deprecation of SMS-based two factor authentication, identifying its inherent security flaws. The guideline asserts that US government service providers should start to phase out using SMS as the second factor when confirming user identities because of the possibility that one-time codes could be intercepted or redirected.
While the guideline falls short of banning SMS-based authentication altogether, the NIST has made it clear that the vulnerabilities of SMS mean that agencies should look for alternatives, warning that they could at any given time ‘expressively disallow it’.
Keiron Dalton, Director of Customer Strategy & Innovation at Aspect, said that the guidance should be seen as a warning shot for the UK banking industry, which will need to deploy additional layers of security if it is to safeguard its customers’ accounts and maintain consumer confidence.
He said: “We’ve been talking about the risks of SMS authentication in isolation for some time now, so it’s encouraging that the NIST has identified this as an issue. Many banks have turned to SMS to deliver one-time passwords to their customers to authenticate payments, because it’s incredibly convenient and fits the mobile lives of today’s consumers. More and more people want to use text but as NIST rightly points out, it’s fallible, can be compromised, and it’s already creating some real headaches for the industry. One of the biggest issues is SIM Swap, when somebody unlawfully obtains an identical SIM card to a mobile user and re-directs communications – including SMS – away from the intended recipient and towards the hacker, leaving their accounts open to attack.
“The challenge is that the banks are somewhat between a rock and a hard place. Customers rightly demand security in their transactions, but don’t want to jump through hoops to get it. They’re also increasingly intolerant to processes that interrupt the natural flow of a transaction. There’s a delicate balance that can be struck between security and convenience, but many banks haven’t yet found it,” Dalton continued.
Dalton added: “We’ve been working closely with the industry to find methods that are sufficiently secure but don’t interrupt consumers’ lives. One such way is to deploy technologies behind the scenes that promote undetectable verification but don’t create friction in the customer experience. SMS should be supported by additional checks performed in an imperceptible way to identify the right information, context and user behaviours, to improve both the confidence of the bank and the customer that they have not been compromised. Examples include deploying sophisticated fraud detection such as SIM Swap and divert detection, as well as location checks using readily available mobile data, to ascertain user identity.
“It is a business imperative that banks establish these imperceptible safety procedures. Without them in place, they will surely lose business to competitors offering secure and highly convenient payment options,” he concluded.