BYO Telephony and the future of SMS at Okta
SMS has long played an important role as a universally applicable method of verifying a user’s identity via one-time passcodes. And over the last decade, SMS and voice-based Multi-factor Authentication has prevented untold attempts to compromise user accounts.
But it’s time to move on.
As of August 2023, any new Okta customer choosing to authenticate users via SMS or voice must configure their own Telephony provider, just as they would any other custom IdP or custom TOTP factor. Starting September 15, 2024, at time of renewal, all existing customers must also bring their own telephony provider if they choose to continue to use SMS or voice.
In order to maintain flexibility, Okta doesn’t intend to deprecate the SMS authenticator. Nonetheless, Okta Security urges customers to accelerate their transition to passwordless with phishing-resistant factors like FastPass or FIDO2 WebAuthn.
The good news? Migrating users to FastPass comes at no additional licensing cost.
SMS offers limited assurance
Let’s explore some of the reasons why customers should begin planning a transition away from SMS/Voice:
SMS lacks phishing resistance
The one-time secret communicated in an SMS is not cryptographically bound in any way to the authenticator. There is nothing to stop an adversary from extracting the secret during phishing or social engineering attacks, and modern phishing tools make it trivial to defeat SMS-based authentication. Phishing Resistance is a property that only Okta FastPass, FIDO2 Webauthn and PIV Smart Cards offer in the Okta Identity Engine today.
2. The channel for sending secrets is outside of your organization’s control
Personal webmail and SMS are two categories of authenticator in which the channel for communication of a secret lies outside of the control of the IT administrator. This property can and often has been exploited by adversaries. The most common form of abuse is when adversaries convince support staff at telecommunications providers to perform a SIM Swap, moving the target account for one time secrets to a mobile device they control. There are other examples of adversaries using social engineering or bribes with staff at telecommunications providers to perform SIM swapping. At the more extreme end, adversaries have attacked telecommunications providers or organizations that generate OTPs directly in an attempt to perform SIM Swaps or intercept OTPs sent to user devices.
3. SMS does not offer device signals
As described above, SMS doesn’t link a user with a device they possess with very high assurance. This is a property that Okta Verify (both using FastPass or Push notifications) and FIDO2 WebAuthn can satisfy. FastPass Device Assurance can also assess the posture (health) of the device associated with a user signing in. Little wonder that given a choice, adversaries tend to add and use SMS/voice factor over others to sign-in to compromised accounts.
4. SMS underperforms on usability
As Okta’s recent Secure SignIn Trends report demonstrated, it takes around three times longer for a user to login via password and SMS than via passwordless, phishing resistant authenticators. It’s also more subject to user error, generating large volumes of benign events that offer little in the way of confidence to a security analyst.
What your regulator thinks of SMS
It doesn’t take an expert in forecasting to note which way the wind is blowing for SMS-based MFA. As far back as 2017, NIST recommended against using phone-based authentication such as SMS in the 800-63-3 guidance document
Earlier this month, the US Cyber Safety Review Board recommended that "organizations urgently implement improved access controls and authentication methods and transition away from voice and SMS-based MFA." In a recent settlement, the Federal Trade Commission (FTC) specifically prohibited a company from using SMS-based MFA. And it’s not just in the United States. The UK’s National Cyber Security Centre (NCSC) recommends organizations to consider alternatives to SMS. “There are many ways by which SMS can be compromised and full defence against such attacks is not possible”. The Central Bank of Malaysia now requires banks to make the same transition. Next door, Singapore’s Monetary Authority of Singapore (MAS) intends to “set a deadline for all retail banks to phase out the use of Short Messaging Service (SMS) one-time passwords (OTP) as a sole authentication factor for high-risk transactions." Which means, again per our pals at CISA, “phishing-resistant MFA is the gold standard and organizations should make migrating to it a high priority effort”.
SMS and Shared Responsibility
At Okta, we are regularly impressed by the different ways our customers leverage identity to create value in their organizations. We also endeavor to make it easy for those customers to deliver the most secure and user-friendly authentication experience. Strong, user-friendly authentication is provided by Okta Verify as part of the Okta service, and meets most use cases. We offer a broad range of other authenticators to choose from too. Customers are free to choose SMS and voice for authentication, if the use case requires and its use is within risk tolerance. That said, if your organization chooses to authenticate users via SMS, it’s important to perform your own due diligence on which SMS/telephony provider best meets your needs.