Understanding NIST Regulations and MFA

The National Institute of Standards and Technology (NIST) recently updated its guidelines on two-factor authentication, including a statement that out-of-band verification methods using PSTN, SMS, or voice calls are deprecated. What does this mean, and why is it important? Most importantly, how can organizations implement multi-factor authentication (MFA) that complies with the NIST regulations?

In two-factor authentication, users are required to present something they know (such as a password) and something they have (such as a one-time-password or a card). It’s best to establish the secondary authentication method through a separate communication channel; ie., out-of-band (OOB). In order to hack an account, an attacker must compromise the password and the device/channel used for secondary authentication, which is more difficult than obtaining a single password.

The latest draft of NIST Special Publication 800-63B Digital Authentication Guideline addresses the use of the PSTN as an OOB authentication verifier:

“Due to the risk that SMS messages or voice calls may be intercepted or redirected, implementers of new systems SHOULD carefully consider alternative authenticators. If the OOB verification is to be made using the PSTN, the verifier SHALL verify that the pre-registered telephone number being used is not associated with a VoIP (or other software-based) service. It then sends the SMS or voice message to the pre-registered telephone number. Changing the pre-registered telephone number SHALL NOT be possible without two-factor authentication at the time of the change. Note: OOB authentication using the PSTN (SMS or voice) is deprecated, and is being considered for removal in future editions of this guideline.”

NIST explains that SMS interoperability means that messages sent to a phone number are not necessarily sent to a mobile phone—they can be received via an SMS, Multimedia Messaging Service (MMS), or iMessage. As a result, the NIST advises federal agencies to verify that phone numbers are indeed connected to a mobile device. However, even those connected to a mobile device present a risk, since attackers are increasingly redirecting and/or intercepting SMS messages and voice calls.

While OOB authentication using the PSTN is stronger than using a single password, it is still not the best option, and the NIST says federal agencies should consider moving to a more secure alternative in the future.

Authentication Alternatives to the PSTN

What are the alternatives? One option is the use of derived credentials, which leverage the cryptographic credentials associated with smart cards but eliminate the need for a physical card or to install a dedicated reader. With derived credentials, the cryptographic credential is stored securely on a mobile device in compliance with smart card regulations, meaning the mobile device has secure access to apps, websites, and services that require smart card authentication.

A second alternative: Leverage a trusted execution environment to securely store authentication credentials, such as private cryptographic keys and biometric data. A trusted execution environment integrated with a MFA solution can provide context-based authentication and convenience for users.

To learn more, visit Centrify.