Tuesday, August 2, 2016

Authentication - Social Security Administration just took a dead end road to secure accounts

     I recently received an email from the Social Security Administration (SSA) notifying me that they are implementing multifactor authentication.  This is what SSA says it means:

 

     I'm all up for keeping my personal information secure, and I'm happy that the SSA is implementing a more secure authentication method given the number of reported cybersecurity incidents affecting the Federal government.  I just wish that they had chosen an authentication method that might not be deprecated in the near future.

     The National Institute of Standards and Technology (NIST) is a federal agency within the U.S. Department of Commerce which "is responsible for developing information security standards and guidelines, including minimum requirements for federal information systems". NIST's guidelines are regarded highly and many entities follow NIST's guidance.

     Recently, NIST released a draft of its Special Publication 800-63-3, Digital Authentication Guideline. In this Guideline, NIST states that Out Of Band (OOB) verification "using SMS is deprecated, and may no longer be allowed in future releases of this guidance".  Special Publication 800-63B, Digital Authenication Guidleline, Authentication and Lifecycle Management, section 5.1.3.2.  NIST's position concerning using sending SMS to cell phones is based on the risk that SMS messages could be intercepted or redirected.

     It shall be interesting to see if the final NIST Guideline maintains that OOB verification using SMS is deprecated.  Even more interesting shall be to see how long it takes SSA to replace this method of authentication.

- Henry Park






No comments:

Post a Comment