Cygilant Blog

SMS Not Recommended for Two-Factor Authentication Says NIST

Posted by Trevan Marden on Jul 29, 2016


In recent years, two-factor authentication has rapidly become a standard best practice for securing accounts. One of the most common ways to implement this is through SMS messages sent to a cell phone. For example, if you enable two-factor authentication for a Google account, when you try to log in with your password from a new computer or other device, Google will send a text to your cell phone with a code you’ll need to enter on the login screen to verify that along with having the correct password, you also have physical access to the associated cell phone for the account.  That sounds good. But, recently, flaws in the SMS system have been uncovered that render this method of two-factor authentication inadvisable. In fact, the National Institute of Standards and Technology (NIST) will recommend against its use as a two-factor method.


As Andy Greenberg notes in an earlier article for Wired, there are a number of methods hackers can use to exploit vulnerabilities in the SMS system. Since these messages are not actually “something you have,” but rather “something that was sent,” the messages can be intercepted in transit. One method would be to use a Stringray-type device to intercept cell phone traffic and capture the message via a man-in-the-middle attack. Another method would exploit weaknesses in SS7 telecom infrastructure to spoof the receiving cell phone.


While adding SMS messages as a factor may be more secure than simply using a single password, it’s important to acknowledge the vulnerabilities that exist in using this as a two-factor authentication method. Since any login could become compromised, it continues to be important to follow industry best practices around monitoring security event logs, network traffic, and other details to identify suspicious behavior from potentially compromised accounts. For example, are you observing logins from unusual times of day or from an odd geographic location? Were there a number of failed attempts or a port scan detected prior to the successful login? These are important questions to answer in order to discover potentially compromised accounts.


If you are struggling with collecting or reviewing the information needed to answer these questions, EiQ can help. Our SOCVue Security Monitoring service provide the people, process, and technology for effective security monitoring.  More and more, organizations that were previously understaffed, underbudgeted, and overwhelmed are finding that EiQ’s hybrid security as a service that combines the best people, process, and technology is a welcome change from going it alone. EiQ is transforming how mid-market organizations build enterprise-class security programs. Acting as an extension of our customers’ IT teams, EiQ’s SOCVue provides continuous security operations based on best-of-breed technology at a fraction of the cost of alternative solutions. EiQ is a trusted advisor to organizations that need to improve their IT security and compliance posture by protecting their infrastructure against cyber threats and vulnerabilities. To learn more, please request a demo today.

Request Free Demo Now!

Tags: Security Monitoring, NIST, Compliance, Security Best Practices, Mobile Security, IT Security

Most Recent Posts

Subscribe to Email Updates