Is SMS OTP a valid second factor to achieve an LoA of 3?

[lukepopp]

Scenario: The customer receives the SMS on their mobile device and enters this into the browser (Holder website) during authentication.

FAPI requires at least an LoA of 2 [X.1254] for READ Operations FAPI requires at least an LoA of 3 [X.1254] for WRITE Operations

Normative References:

• FAPI-R https://openid.net/specs/openid-financial-api-part-1.html#authorization-server
• FAPI-RW https://openid.net/specs/openid-financial-api-part-2.html#authorization-server
• X.1254 - Entity authentication assurance framework: https://www.itu.int/rec/T-REC-X1254-201209-I/en
• DTA TDIF Authentication Credential Requirements https://www.dta.gov.au/our-projects/digital-identity/join-identity-federation/accreditation-and-onboarding/trusted-digital-identity-framework TDIF References NIST 800-63B - https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-63b.pdf

[WestpacOpenBanking]

In support of a successful July 19 roll out, we suggest that whether SMS OTP is sufficient as a second factor should be up to data holders and their risk appetites. This issue could be revisited at a later date.

[ajmcmiddlin]

NIST's Digital identity guidelines have restricted use of SMS OTP. A latter section outlines what this means. Essentially it is deemed a riskier option, and is considered to degrade further over time.

Anecdotally it seems that SIM swapping and other attacks on mobile networks are becoming more prevalent, so I would be mindful of this while making this decision.

[mwatson-daon]

I don't think that there is any way that SMS is sufficient for LoA3; it is not secure, is not phishing resistant, has no crypto capabilities and has all the weaknesses as outlined by NIST. I also can't see out of band devices listed as one of the appropriate mechanisms for AAL3 under the NIST guidance which would also exclude push OTP.

The real question is if SMS is sufficient for LoA2?

NIST allow it with a few requirements, the big one being that the CSP check that the phone number is still associated with the physical device. So the CSP would need to check that the number has not been ported, not SIM swapped or the phone changed. This needs to be done every time the number is used. The CSP should also offer a non-SMS based second factor.

If the mitigations to SMS OTP are implemented appropriately, then it might be sufficient for LoA2 in the short term.

[lukepopp]

@mwatson-daon I've added some normative references to the issue which clear up some things.

[lukepopp]

I believe the answer to the Question is YES. Please refer to the normative references. In particular [X.1254] is clear about what constitutes an LoA of 2 (ie, some confidence). At some point consideration has to be given to whether an LoA 2 is sufficient in any circumstances (READ or WRITE). This really depends on the existing level of support for 2FA across Data Holders. We want to avoid forcing consumers to have to register for 2FA as part of a CDR Authentication process.

[mwatson-daon]

I think we want to avoid identity take over and leaking people's personal data simply because SMS is easy for the data holder. It is called Consumer Data Rights right?

X.1254 is 6 years old. Both the NIST and DTA recommendations have moved on from 2012.

DTA Authentication Credential Requirements

SMS should only be used where the Data Holder performs a check to see that the number hasn't been ported and the SIM/Handset hasnt been changed before every use. If the Data Holders are able to do that, then SMS OTP is an acceptable authentication factor. If they can't, then SMS shouldn't be used as an authentication factor.

Are we really going to recommend adoption of a 6 year old security model in opposition to the more recent advice from NIST and DTA?

[lukepopp]

@mwatson-daon I agree but At this stage we are following FAPI which is in turn is following X.1254. Authentication levels, Credential Management, Assertion Presentation, and Identity Proofing are all types of assurance which just cannot be represented under X.1254. I made this point at the workshop on the 6th Dec so watch this space...it's early days . From an "identity take over" perspective and authentication, the Holders should not increase the risk of this happening under CDR. It is clearly in their interest not to (legally and from a reputation point of view).

[mwatson-daon]

@lukepopp Sorry, couldn't fit in to that session.

It sounds like we should be moving on from FAPI then ;-) It doesn't suprise me though, as I think it is the same issue that crops up with OAuth -> a focus on old authentication mechanisms with a strong emphasis on passwords and the web channel only.

Agree that there is no additional risk if CDR allow SMS. But continuing to allow such a low security mechanism as the core additional factor does no consumer any favours. It's like saying there is no additional risk of death if we keep allowing manufacturers to sell cars without seatbelts.

[johndugganoz]

@lukepopp

Hi Luke, I guess its common knowledge now that besides offering no encrypted message or transaction signing function, the SMS/OTP mechanism has vulnerabilities to device swap, SIM change and number porting attacks.

After implementation of the CDR legislation, a successful attacker will have greater control. They will be able to control the sharing of my data and the claim of my identity, with new service providers, in a way that they can't currently do.

If we know that SMS/OTP introduces vulnerability for current processes, then why promote it post July 1 when the emergence of data sharing means that the risks of identity fraud/takeover have increased?

If the legislation is implemented with poor authentication, then even citizens/customers who don't seek to benefit from the data sharing legislation, will have greater exposure to identity theft due to its implementation.

The implementation of CDR shouldn't, by design, increase the prevalence of identity fraud in Australia. If SMS/OTP is accepted as an authentication mechanism for data sharing then I believe that is the situation we will be in.

John Duggan SVP Daon

[lukepopp]

@mwatson-daon The scope of FAPI goes far beyond simply specifying minimum LoAs and we will be sticking with it. However, the standards are informed by emerging legislation and rules . This might mean higher minimum LoAs are required and the standards will reflect that (for example, Strong Customer Authentication has been mentioned).

@johndugganoz I don't agree that the CDR will make sharing of data easier for malicious actors. For example, screen scraping of banking accounts protected by a single factor is already a legal commercialised business. Malicious actors have the same tools at their disposal. As I have stated previously, the CDR will not lower banking authentication requirements for customers now or into the future. Therefore I would be circumspect about making comments about the CDR being designed to promote identity fraud as such comments may be misconstrued as fear mongering. However, I think it is entirely reasonable to ask, can we do better?

Finally, overly stringent authentication mechanisms also present a risk to the CDR as they may inhibit user uptake. A CDR with no active consumers will have clearly missed the mark.

[lukepopp]

This issue has been resolved so I’m closing.