NIST Special Publication 800-63B was released 2017.
Why 2fa using SMS is good enough for most people. Default settings in security are extremely important since a majority of users do not change these settings. For many sites, the default is to allow users access using the standard username and password. Users need to opt in order to get their 2fa enabled.
The NIST publication recommends moving away from SMS based 2 factor authentication.
- SMS text messages can be intercepted
- Users can be susceptible to SMS based phishing
The recommendation is for the implementation of OTP based hardware/software tokens that are based on asymmetric cryptography. While it is still possible for an attacker to get the codes they are now reduced to either an attack
- compromise the second factor
- phish the second factor from the user
- physical access
Based on my personal experiences, before implementing software tokens and moving away from SMS based 2fa make sure you have a backup plan for when you lost those tokens.
A couple months ago I had lost my phone and as a result, I lost all software tokens from my device. As a result, I was nearly locked out from some of my accounts.
No comments:
Post a Comment