Convenience Over Security is Often Not the Best Policy

Michael Magrath,

Now NIST says SMS authentication is a “no-go”

Forget your password?  No problem, just click “reset password” to receive a one-time code sent via SMS to your registered mobile phone.  From there you can create a new password to access your account.

Inexpensive and Convenient?  Absolutely!

Secure?  Maybe.

Well, for federal agencies, “maybe” does not make the grade when it comes to security and the National Institute of Standards and Technology has stated in the DRAFT NIST Special Publication 800-63-B, “Digital Authentication Guideline”.  NIST’s position supports what both security professionals and hackers alike have known for years: SMS is insecure, and is no longer suitable as a strong authentication mechanism.

Why?  SMS messages are not protected from the wrong eyes seeing them, and there is no assurance that they will actually go to the intended recipient.

Although NIST’s requirements apply to federal agencies, in reality, industry has traditionally followed suit.  Healthcare is no exception.  Since 2010, healthcare organizations deploying electronic prescribing of controlled substance (EPCS) solutions have had to comply with NIST’s identity proofing and two-factor authentication requirements defined in Special Publication 800-63.

Outside of EPCS, healthcare organizations have typically deployed low cost and convenient authentication solutions.  Too often healthcare organizations rely on static passwords to protect their own assets and protected heath information.

With a false sense of security, many healthcare organizations have deployed SMS notifications thinking they have significantly increased security when in reality they have not.  SMS peddlers without suitable alternatives talked it up with various buzz-phrases, like “out-of-band” and “step-up” authentication, but the reality now is that SMS does not deliver as a secure “second factor,” as some may have claimed; attacks against SMS are no longer theoretical but wide-spread.

The federal government and healthcare organizations have one thing in common: both are under constant attack in a never ending cyber war. Google “healthcare breach” and it’s easy to see that healthcare is losing.  The entire industry, from large payers, to large and small hospitals to single physician practices is under constant attack and has suffered far too many casualties.

It is critical that healthcare organizations take heed to NIST’s draft recommendations.  Relying upon obsolete security practices only makes them easy targets.  Add SMS to the list that has been dominated by static passwords. In the light of the NIST draft recommendation, the recent announcement by Social Security Administration that it now requires two-factor authentication via SMS could not have been more ill-timed and made me chuckle.  It is clear the interagency communications are severally lacking in Washington. Perhaps The Donald or Hillary will address that?

There are so many affordable options available that balance security with usability that healthcare systems must take action and move off passwords and SMS to protect the sensitive, protected health information they store and access.

For more information on VASCO security solutions for healthcare visit

Michael Magrath is responsible for aligning OneSpan’s solution roadmap with standards and regulatory requirements globally. He is Co-Chair of the FIDO Alliance’s Government Deployment Working Group and is on the Board of Directors of the Electronic Signature and Records Association (ESRA).