“Cyberschizophrenia” in the US Government

In the last few days, the US Government both mandated and rejected the same method of cybersecurity.

It’s called Second Factor Authentication, specifically a One Time Passcode (OTP) sent by Short Message Service (SMS). So, together, its a “SMS OTP,” which is basically what happens when you receive a 4 to 6-digit security code to your  cell phone as a text message after you enter your username and password.  You must enter this security code (usually) on the same screen where you entered your username and password as an extra factor of security to complete online registration and/or to sign in to an account.  The shorthand for all of this is sometimes referred to as MultiFactor Authentication, or MFA.

First, on July 30, the Social Security Administration (SSA) mandated the use of MFA:

We take our responsibility very seriously and, with that commitment, have always provided my Social Security account holders with the option of an extra layer of security: to receive a security code via a cell phone text message to complete online registration and every sign in. This type of process—requiring more than a username and password to access information—is referred to as multifactor authentication, or MFA.

On July 30, 2016, we implemented mandatory MFA to comply with Executive Order 13681, which requires federal agencies to provide more secure authentication for their online services. (SOURCE: https://www.ssa.gov/myaccount/MoreInformationAboutMFA.html on 8/3/2016)

Of course, since a few  Americans have a social security number, but still do not have a cell phone, the SSA allows for alternatives, making MFA ‘mostly’ mandatory.

Update (August 3, 2016): We believe that we resolved the problem that prevented some my Social Security account holders from receiving their security code text messages or entering the security code they receive. We regret any inconvenience and invite you back to take advantage of the many features that a personal my Social Security account provides. We encourage our customers who will not be able to access their personal my Social Security account without a cell phone to visit our website at www.socialsecurity.gov/agency/contact to learn about other ways to contact us to access their benefits information. (SOURCE: https://www.ssa.gov/myaccount/ on 8/3/2016)

Here’s where the governmental schizophrenia comes in.  Two days later, the National Institute of Science and Technology (NIST) rejected SMS OTP’s.

Due to the risk that SMS messages may be intercepted or redirected, implementers of new systems SHOULD carefully consider alternative authenticators. If the out of band verification is to be made using a SMS message on a public mobile telephone network, the verifier SHALL verify that the pre-registered telephone number being used is actually associated with a mobile network and not with a VoIP (or other software-based) service. It then sends the SMS message to the pre-registered telephone number. Changing the pre-registered telephone number SHALL NOT be possible without two-factor authentication at the time of the change. OOB using SMS is deprecated, and may no longer be allowed in future releases of this guidance. (SOURCE: https://pages.nist.gov/800-63-3/sp800-63b.html)

The last sentence, “…may no longer be allowed in future releases of this guidance” is basically a friendly warning that SMS OTP’s may be disallowed the next time this agency writes a new report. In other words, the US Goverment (or at least one of its agencies) wants to phase out SMS as a security layer.

And, to make the situation more interesting, both agencis define Multifactor Authentication” very differently. (Note:in the paragraph, below, the term “AAL” means Authentication Access Level.

The separation of authenticator issuance from the establishment of credentials binding those authenticators to individuals provides additional flexibility in the enrollment and identity proofing process…The three AALs reflect the options agencies will select based on their risk profile and the potential harm caused by an invalid or fraudulent user accessing their systems. The AALs are as follows:

AAL 1: requires single factor authentication, giving some assurance that the same claimant who participated in previous transactions is accessing the protected transaction or data.

AAL 2:  requires two different authentication factors, providing higher assurance that the same (user) who participated in previous transactions is accessing the protected transaction or data.

AAL 3:  provides the highest practical remote digital authentication assurance. It requires proof of possession of a key in a physical multifactor authenticator (MFA) through a cryptographic protocol.

(SOURCE: https://pages.nist.gov/800-63-3/sp800-63b.html)

Again, these two US Government agencies (the  SSA and the NIST)  have remarkably different definitions of “Multifactor Authentication” (MFA).  For the NIST, MFA is a “Physical” item that carries a key, while the SSA uses the same term to describe a code in a text message.  It is unlikely that a difference in terminology is what caused these two agencies to effect mutually exclusive policies, but it probably did not help matters, either.

Let’s hope that these two agencies start reading eachother’s memos soon before we waste a lot of taxpayer money.

Published by

David W. Schropfer

David W. Schropfer is the CEO of SAFE (Smartphone Authentication For Everyone), a cybersecurity company in New York (www.theSafe.io).  Every day, he and his team of professionals keep the people who use The SAFE Button protected from some of the most common traps, hacks and attacks that target computer systems of all sizes. David is the author of the bestselling cybersecurity book, Digital Habits: 5 Simple Tips to Help Keep You and Your Information Safe Online. His previous books, including The Smartphone Wallet and industry whitepapers, predicted some of the biggest trends in the payments, mobile, and security industries.  Since graduating Boston College, David earned an Executive MBA from the University of Miami.