From the buzz in the technology press over the last two weeks, one might think that end times are nigh in the world of authentication.
Several media outlets wrote stories discussing NIST’s recent proposal around use of SMS-based solutions for digital authentication in the U.S. government, with headlines like “NIST axes SMS-based two factor authentication” and “U.S. government says SMS codes aren’t safe – so now what?”
While NIST weighed in with a blog of its own clarifying its intent – including making clear that it was not yet banning use of SMS, only discouraging its use – the notion that a commonly-used authentication technology is facing its end-of-life ought to be cause for celebration, not dismay.
Technology constantly evolves – and as it does, security evolves with it. NIST, for example, withdrew support for the Data Encryption Standard (DES) in 2004, after it became clear that DES was increasingly vulnerable, and steered agencies toward use of the faster, stronger Advanced Encryption Standard (AES). Likewise, NIST guided agencies to stop using the SHA-1 family of hash functions in 2006, instead recommending the more secure SHA-2 algorithms.
As technology continues to change, the obsolescence of some solutions shouldn’t be feared, it should be welcomed. Particularly when the reason the obsolescence is happening is because old technologies are being replaced with ones that are more secure and easier to use.
We’ve seen this with clunky single-use cell phones being replaced by sophisticated smartphones designed to make every interaction easy and natural. And we’ve seen it with the emergence of new operating systems and computing platforms that build security in from the start, rather than require end-users to struggle with managing an array of different security controls on their own.
This same evolution is happening in authentication, and not a moment too soon. We’re coming off yet another year where the password was the vector of attack in the majority of breaches. The need for authentication solutions that go beyond passwords is stronger than ever.
But with this need in mind, the reality is that the first generation of “multi-factor” authentication solutions the market produced – tools like SMS and One Time Passwords (OTP) – might have improved security, but they degraded the user experience. Consumers do not want – and have demonstrated they are not willing – to use security technologies that create extra burdens for them.
The good news is that the market is responding – and innovating to create a new set of next generation authentication tools that can address the old “security vs usability” tradeoff that plagued the first set of technologies. New industry efforts like the FIDO Alliance have brought together not just security vendors, but also banks, online retailers, payment card networks, mobile network operators (MNOs), handset manufacturers, health insurers and others to collaborate to create new standards that enable not only great security, but also a terrific user experience.
The cycle has been logical – the security tools we use follow advances in technology:
The creation of SMS and widespread penetration of first-generation cell phones created an out-of-band channel for organizations to text out an OTP.
The move to smartphones enabled firms like RSA, Google, and Authy to create OTP apps that were more secure than SMS and offered the ability to function even in cellular “dead zones.” But while offering security advantages, these apps have not caught on due to the need 1) for consumers to actively download a dedicated app for strong authentication and 2) a mediocre user experience requiring consumers to stop what they are doing, launch an app and then enter a code.
Today we’re seeing a third evolution, driven by the fact that most mobile devices and computers are shipping with a secure, embedded hardware root of trust such as a Trusted Execution Environment (TEE), Trusted Platform Module (TPM) or Secure Enclave (SE), as well as multiple biometric sensors. This is a remarkably significant development in the market — it means that the “primitives” are in place for stronger authentication solutions that blow away legacy SMS and OTP in both security and usability.
Next generation solutions are coming not a moment too soon. NIST’s warnings about the risks of SMS are hardly the first; Google publicly flagged the issues they were seeing with SMS and other one-time password approaches in June 2015, specifically noting the problems with increased phishing of OTPs. Gartner likewise raised this issue last November, and the U.S. Federal Trade Commission (FTC) issued a warning in June.
FIDO's approach uses public key cryptography – replacing the old “shared secrets” model of SMS and OTP with an asymmetric cryptographic key pair. This key pair means there are no “shared secrets” such as passcodes that hackers can intercept; FIDO authentication is unphishable.
Authentication is an important enough issue that the White House made it a centerpiece of its Cybersecurity National Action Plan (CNAP) earlier this year, launching an effort in partnership with the private sector to promote the use of strong, multi-factor authentication for all Americans.
As that effort spurs a new, public-facing campaign around authentication this fall, it will be important for companies to note what NIST, Google and Gartner have stated – that all authentication technologies are not created equal. Next generation authentication solutions are here today that address the weaknesses of SMS and other “shared secrets” technology, providing tools that are not only more secure, but also easier to use.
Jeremy Grant is Managing Director at The Chertoff Group, leading the firm’s identity practice. He is an advisor to the FIDO Alliance.