You may have read about the NIST, lately. NIST is updating its Digital Authentication Guideline.
NIST is the National Institute of Standards and Technologies. It is part of the Department of Commerce of the United States and works on standards which are met by several governmental institutions and and also companies. It is a physical laboratory and also deals with topics like earth quakes and fire protection. But also with standards in information technology. E.g., NIST played it’s role in defining the encryption protocols DES and AES.
Digital Authentication Guideline
NIST now released a draft of its Digital Authentication Guideline. This guideline describes how to evaluate risks in authentication processes and also gives dedicated countermeasures and advices. Two factor authentication plays an important role.
The interesting and new part is, that the draft SP800-63B explicitly points out the risks of Out-Of-Band authentication using SMS (text messages). In section 220.127.116.11 the usage of SMS is event denoted as deprecated!
OOB using SMS is deprecated, and may no longer be allowed in future releases of this guidance.
No authentication technology lasts forever
We do not want to start bashing SMS. But we should be very well aware, that no authentication technology is built for eternity or will withstand hackers forever. Technologies and processes we are using today may work very well – today. But tomorrow things may have changed and these technologies and processes may be easily bypassed by hackers.
The common conclusion should be: The used authentication technology or authentication process must be replacable. We should not rely on a product, that only implements one authentication process – in this case SMS. Because the effort if changing to another authentication process would mean changing the complete software. The complete backend. The vendor. Get a complete new solution.
Ever-lasting authentication with privacyIDEA
Due to this NetKnights relies on privacyIDEA. privacyIDEA is an authentication system, that supports a broad variety of tokens, authentication devices and thus authentication technologies and processes. Of course privacyIDEA supports one time passwords via SMS and Email. But it also supports one time passwords by smartphone apps, challenge response mechanisms, many different kind of OTP hardware devices, Yubikeys and also X.509 certificates and SSH keys.
A company which uses privacyIDEA has no problem with the NIST guideline. They can just enroll new token types for their users and smoothly change SMS tokens to smartphone apps, hardware tokens or Yubikeys. No software needs to be evaluated and replaced. No vendor needs to be contacted and no processes need to be changed.
This way privacyIDEA helps to reduce administrative costs and also reduces the TCO. NetKnights provides different level of service level agreemets for privacyIDEA. We also help with the integration of privacyIDEA into the company network and deliver the appropriate tokens.