U.S. government says SMS codes aren’t safe – so now what?

We’re all familiar with the SMS text message based security codes used as a security feature by huge numbers of websites from social networks to email to online payments. This is the feature that aims to verify your identity after you log in with a password, by sending a text message to your phone with a code that you use to access the site.

But SMS security codes aren’t safe and should be avoided. That’s the news that’s been circulating over the last few days from NIST – the National Institute of Standards and Technology, the U.S. Government agency that sets the standards for everything from the electric power grid to atomic clocks to personal health records.

So what’s wrong with SMS codes? Are they really unsafe? And if they are, what can we use instead?

SMS codes are really just one form of what’s called “two-factor authentication,” or 2FA. The goal of a 2FA system is to help guarantee that the person logging in with your password is actually you rather than a hacker who has guessed or stolen your password, or recovered it by cracking the passwords in a password dump from a hacked web site. “Two factor” refers to the fact that the system uses more than one way of verifying your identity – the password is the first factor, and the SMS code is one way of providing a second factor.

There are several problems with SMS-based systems that led NIST to decide that SMS-based systems are insecure:

• SMS messages can be delivered through a Voice Over IP (VoIP) network rather than a mobile carrier and are only as secure as the websites and systems of the VoIP provider. If a hacker can interfere with these systems, she can intercept the SMS security codes or have them rerouted to her own phone.
• The phone number used for SMS messages is associated with a SIM card (not with a phone) through a database maintained by the carrier (either a mobile carrier or a VoIP provider). If a hacker can persuade the carrier’s customer support agents that she is the user and has lost her phone, the phone number can easily be linked by the carrier to a new SIM card that the hacker has. All SMS security codes would then be sent to the hacker rather than to the legitimate user.

So where does that leave us? If SMS-based systems aren’t safe, are we stuck with the bad old world in which users have to log in with nothing but a password, making them vulnerable to password theft?

Fortunately, no – there are other 2FA systems that remain safe to use. Some examples of these are:

• Hardware tokens that generate time-based codes. These are the keyfob or credit-card sized dongles that display a numeric code that changes frequently (usually every minute). Each hardware token generates a unique sequence of codes, and a website can require the user to input the current code as proof that they have physical possession of the dongle.
• Apps that generate time-based codes, such as the Google Authenticator app. These work just like the hardware tokens, but instead of a dongle, you use an app on your phone. Once the app is set up, the sequence of codes is unique, just like the hardware dongles.
• Hardware dongles based on the U2F standard from the FIDO Alliance, a group of companies working together to define new authentication methods. These hold a unique key enabling access to the website, and you unlock access to it using your fingerprint.
• Systems that use push notifications to your phone, such as Google’s system for Android phones. These send a push notification to your phone that you acknowledge to approve the login. Your phone is identified not by its phone number but by unique keys, so again this can’t be redirected by a carrier.

And there’s no reason to stop at two factors. Multi-factor authentication (MFA) systems can use more than two factors at once for even higher levels of security.

So, while SMS codes may be risky, users have a choice of other solutions they can start using right away.

Richard Reiner is Chief Technology Officer at True Key by Intel Security.