NIST Digital Identity Guidelines – SMS in Authentication Strategies
As we anticipated when we first wrote about the Digital Identity Guidelines published by the National Institute of Standards and Technology (NIST), the new recommendations have ignited a fierce debate in the cybersecurity community. What is the best authentication method to protect access to data and systems? Is two-factor enough or does multifactor provide the best defense? What delivery methods are the most secure? Which backend infrastructures ensure the right people access the right data?
These questions have spawned contradictory opinions that have driven several revisions of NIST guidelines. One key recommendation is that organizations use multifactor authentication (MFA) to deter hackers and improve the authentication process, and NIST has recently refined their advice surrounding SMS passcode delivery as part of a multifactor authentication strategy. The recommendation now includes the use of out-of-band techniques, namely passcode delivery via a registered device you have, such as a cell phone, to add another identity proof layer to the process.
At Censornet, we’ve long agreed with this stance and have built our MFA solution to deliver maximum security by combining several factors, including geo-location, session ID, network IP, login time, passwords and cryptographically strong random-generated, one-time passcodes that can be delivered via SMS, email or voicemail. The flexible delivery methods serve to improve security while also providing user convenience that protects access beyond the firewall – an increasingly important consideration as workplace mobility continues to rise.
Reduce impact of large scale data breaches by protecting user accounts with more than just passwords.
Not only are passcodes generated in real-time, they are locked to the session-ID of each particular login attempt. This eliminates the consequences of Phishing attacks because there are no pre-issued passcodes or seed files that can be hacked. Plus, the passcodes are sent via Flash SMS so passcodes aren’t stored on the mobile phone. Even if a SMS text containing the passcode were to be intercepted or re-directed, the passcode is rendered useless if it’s not combined with the other factors.
What’s more, Censornet does not enable self-device enrollment as some competitor solutions do by enabling users to register their devices easily over the Internet with only a user name and password. This offers another protection layer because administrators ensure that all devices are verified.
Our team continues to follow the evolution of authentication best practices with great interest, and it’s encouraging to see organizations like NIST recognizing the value of MFA in disarming hackers of their preferred weapon – stolen or weak credentials. As we shift more of our behaviors to the online and cloud world, we will need to continue to protect our digital identities with sophisticated tools and methods.