Last week’s announcement from NIST that SMS one-time-passwords (OTP) were deprecated as a form of out-of-band (OOB) authentication put the industry in a tizzy.  Funny thing was that NIST did hedge a bit in its language, but it seemed that the agency was relegating SMS OTP to the junk pile when reading some of the posts out there.  

While NIST has since clarified the statement further in a blog of its own (“2FA is better than no 2FA, and SMS OTP isn’t prohibited”), there are questions as to what it all means for financial service providers as NIST guidance is closely followed by the industry (especially by forward-looking institutions).

There’s understandably some concern among our clients about existing investments and what a change would mean for customer experience (as consumers in general have just started to become accustomed to SMS OTP).  And you can bet that authentication vendors in the biometrics space were raising their glasses after the announcement, but they should put the glasses down.  My position is that while I agree with NIST’s assessment that SMS OTP is deprecated, SMS OTP isn’t going away. 

Why?  Three reasons:

  • On its own, SMS OTP still has value for low risk transactions
  • It can be bolstered to mitigate shortcomings
  • It is so broadly integrated across the industry (not quite like passwords, but you don’t sunset something like this overnight) 

Instead of tossing the baby out with the bath water, FIs should continue to consider a risk-weighted approach to authentication.  Lower risk activities are safe in the near term, but any doubts around the suitability of standalone SMS OTP for use in higher risk transactions should be settled – banking Trojans and phone forwarding have long been effective in intercepting these messages.  Supplemental forms of security can raise the level of assurance provided by SMS OTP – such as verifying the status of the receiving device or utilizing anti-malware to detect infected browsers where the OTP is to be entered.

So, will SMS OTP enjoy the same zombie-like status as “memorized secrets” (i.e., passwords – a solution that won’t die, despite already being dead)?  No, because it isn’t dead (not even half dead for all you Billy Crystal fans).  So if you use or are considering SMS OTP for OOB authentication, my suggestion would be stay calm and assess the situation.  Examine the use cases, the inherent levels of risk, and how supplementing SMS OTP with other solutions affects the underlying ROI.

If you work at NIST on the other hand, I have a few suggestions for language around passwords that would really get everyone excited.  But you have to mean it this time.   

Author

About Al Pascual

An accomplished industry analyst, market researcher, and financial industry practitioner, Al Pascual is Javelin’s Research Director and Head of Fraud & Security. As Research Director, Al leads Javelin’s Advisory Services and Custom Research businesses. He oversees growth of these businesses while ensuring that Javelin’s research content meets quality standards and provides the innovative perspectives that clients expect from the firm.

As Head of Fraud & Security, Al provides clients actionable insights on a variety of fraud and security issues, acts as a partner in developing strategies for managing risk, and identifies and raises awareness of future threats and solutions. Al researches a range of topics, including the applicability of biometrics in banking and payments, the effect of data breaches on the integrity of consumer identities, the relationship between identity fraud and loyalty, and the best methods for securing payment data and transactions.

Al has presented findings from Javelin’s rigorous, industry-leading research at conferences around the world, including BAI, CARTES, Money20/20, NACHA, and RSA. Al has provided commentary on fraud and security issues to American Banker, Bloomberg, CNNMoney, Fox Business, Reuters, The New York Times, The Wall Street Journal, The Washington Post, and Wired.

Previously Al held risk management roles at HSBC, Goldman Sachs, and FIS. He is a member of the Association of Certified Fraud Examiners, the International Association of Financial Crimes Investigators, and the Federal Reserve Secure Payments Task Force. Al also serves on the board of advisers to the Information Security Media Group. He earned a Bachelor of Arts degree in History from the University of South Florida.

Stay in Touch!