You can do everything in your power to ensure your security is top of the line, but inevitably, there are limits to the measures you can take. Even best practices have inherent weaknesses. Case in point: The federal government recently noted flaws in the popular two-factor authentication method.
In a lot of ways, online news is a giant game of telephone, where one story begets another story, and that leads to some disconnected threads down the line. Unfortunately, this kind of telephone game can confuse and mislead the public.
A good example of this played out last week, after the National Institute of Standards and Technology (NIST) released a draft report about digital authentication. Buried deep inside its nonbinding recommendations was a note about two-factor authentication, specifically how it’s used with SMS, the common platform used for texting.
But the process, as I noted a while ago, has never been perfect. Incidents of hackers getting around the authentication by calling up phone companies are not unheard of.
And that, partly, is why NIST’s draft guidance calls on agencies to reconsider SMS as the best approach for “out-of-band,” or non-password, verification.
“Due to the risk that SMS messages may be intercepted or redirected, implementers of new systems should carefully consider alternative authenticators,” the report states. “If the out-of-band verification is to be made using a SMS message on a public mobile telephone network, the verifier shall verify that the pre-registered telephone number being used is actually associated with a mobile network and not with a VoIP (or other software-based) service.”
Regular users and even many employers don’t need to lock up accounts like Fort Knox, but they do need stronger security than a handful of random characters.
(Other methods, such as push notifications on mobile devices, were recommended instead.)
Quickly enough, this call got misconstrued, with some media outlets suggesting that two-factor would be “banned,” rather than “depreciated”—a much lighter term expressing disapproval. Some outlets even suggested that users would no longer be able to use two-factor on their personal devices.
Furthermore, the reaction overplayed exactly how far NIST was in its process (not very; it’s merely soliciting comments at this stage) and how binding the decision would be (not very; standards are obviously not law, and in this case, they would apply only to government agencies).
This whole mess led NIST officials to publish a blog post clarifying what it was trying to say: that SMS has weaknesses that may make it less than ideal for government uses.
“We don’t want you to use SMS as a second factor, but we absolutely want two-factor authentication, in fact, we recommend it for all levels of assurance,” Paul Grassi, the senior standards and technology advisor at NIST, told ZDNet in an interview.
Does It Work for You?
The episode highlights a key point for IT departments: Technology use cases come down to your needs, and this story was all about someone else’s needs—the needs of the federal government.
Violet Blue, a security journalist who writes for Engadget, noted in a snarky take on this whole mess that “neither the practical use cases for [two-factor authentication] nor the emphasis on a draft recommending depreciation were what came out in this week’s mainstream news.”
Regular users and even many employers don’t need to lock up accounts like Fort Knox, but they do need stronger security than a handful of random characters. The federal government, which literally owns Fort Knox, needs security like Fort Knox.
But even if we won’t follow every detail of NIST’s draft standards right now, they could play an important role for the public later. Security approaches tend to trickle down, and when they do, vendors will inevitably come up with alternate solutions that work better than what’s currently available.
Example: Google, which popularized SMS-based two-factor authentication, announced an updated process back in June. Now, mobile users will get a prompt allowing them to accept or deny a sign-in without ever typing in a code in the first place. It gets around the SMS problem entirely while making the user experience easier.
Your association and its employees should probably be using two-factor authentication of some kind, whether it involves a mobile phone, a fingerprint, or a dongle of some kind—at least for certain kinds of information.
But you should also be realistic about those security standards, because they do have limits, and those limits should be communicated to users who rely on that security. Heck, even solutions considered extremely secure, like the popular password manager LastPass, occasionally get exposed to massive security flaws.
Text Messages from the Edge
On Sunday, Ars Technica posted an interesting first-person story by Kapil Haresh Vigneswaren, a Canadian graduate student who barely avoided an aggressive attack on his Apple accounts. He nearly lost everything on his computers but salvaged it by forcing his various devices offline before they could be remotely wiped.
But in the process of re-enabling his accounts, he realized that two-factor authentication wasn’t enabled on the Find My iPhone app, nor was pattern monitoring, a common method to discover if accounts are being accessed from faraway locations or in unusual ways.
“I can see why Apple decided against using the same [two-factor authentication] for Find My iPhone ,” Kapil wrote. “Ideally, you’d only use Find My iPhone when you lose your device, hence you’d not be able to access your text and on-device authentication. But for there to be no [two-factor authentication] for Find My iPhone doesn’t quite add up.”
All this is to say that two-factor authentication isn’t perfect, even if it is better than a whole boatload of alternatives. What happened to Haresh is an edge case—the kind that NIST is attempting to address by curtailing the use of SMS in the federal government.
Such incidents will not come up for the majority of your users, but you should be aware of the outliers and know how much you want to plan for them in the future.
You don’t have to live on the edge, but you should know what’s on the other side.