That’s the message from the U.S. government’s former czar for secure online identity about the feds’ recent move toward phasing out SMS-based one-time passwords as a second-factor ID.
The move by the National Institute of Standards and Technology, despite having caused some consternation in the tech community, is a good thing, says Jeremy Grant.
Grant, the former head of the Obama administration’s National Strategy for Trusted Identities in Cyberspace wrote a blog posting for the FIDO Alliance, a non-profit working to promote interoperable and user-friendly technical standards for secure online ID.
‘[One-time passwords] have been around for more than 20 years,’ Grant said. ‘They had a good run, but technology has evolved … the good news is, there are more secure alternatives.’
In his blog post, Grant discusses the concerns about SMS passwords that have emerged over the past year or so; going back to a Google engineer’s presentation about SMS phishing last year at the Cloud Identity Summit. He also cites a blog post in June from FTC Chief Technologist Lorrie Cranor, which warned of the dangers of SIM-card hijacking and splitting.
The tools that cybercriminals need to bypass the out-of-channel authentication that SMS provides have become commoditized and are increasingly available to even low-level hackers, he said.
‘What was sophisticated five years ago is commonplace today … Even a one-time password is still a password, it’s still a shared secret that can be learned by an attacker. It’s time to move on.’
Fortunately, Grant believes there’s a better technology standard to use in the FIDO Alliance.
The standard, he explains, relies on the fact that most computing devices now come with some kind of secure hardware, ‘a specialized chip or portion of a chip that’s walled off from the rest of the device, so that even if a hacker owns the device, he can’t get at that special secure hardware.’
That hardware — whether it’s Microsoft’s Trusted Platform Module, Apple’s Secure Enclave or Android’s Trusted Execution Environment — is where the private encryption key is stored for the FIDO-compliant ID authentication process.
The public key is held by whatever service a user wants to login to. Like any asymmetric encryption, the user needs the private key that matches the appropriate public key.
‘It’s the same underlying technology as [public key infrastructure, or] PKI,’ he said. ‘Think of it as PKI-lite … all the benefits without the heavy lifting. It’s quicker to use, cheaper to install, easier to integrate.’
Users access their private key via a biometric like a fingerprint or retina scan if their device is a smartphone, or they can use a special device, like a keystick — basically a USB drive that stores the key.
Because of the way the special hardware enclave protects the key, hackers can’t get at it unless they can physically access the device.
‘Yes, someone could steal my phone and fake my fingerprint, Grant said, ‘if they could do it before I realized my phone was gone.’
Discussing ways of defeating the technology, Grant said: ‘You start to get into some ‘Mission Impossible’ scenarios. They’re not impossible, but they’re very difficult, they’re resource intensive and most importantly, they don’t scale.’