Hello, welcome to the Monday, July 26, 2016 edition of the Sansonet Storm Center's Stormcast.

My name is Johannes Ulrich, and the day I'm recording from Jacksonville, Florida.

NIST published a preview of the next version of its digital authentication guide.

Haven't read all of it, but one of the highlights that has been

noted is that out-of-band authentication using SMS is deprecated according to this new standard.

Now as an alternative, they offer the use of mobile application.

They also state that push notifications are okay if they provide sufficient entropy, 64 bits

of entropy which of course isn't really true for these usual five digit numbers.

Now if you do have an authenticator with a smaller

entropy, then you do need to implement a throttling mechanism in order to prevent

prud forcing. Remember, a few months ago, Facebook had a problem with this where you could

essentially just prude-force the identification

number that was sent via email or SMS.

Now in the meantime, what they're saying is if you're still using SMS, you can continue

to do so for now, but you do need to make sure that the receiving number is actually a number on a mobile carrier and not a voice over IP number or a number provided by some kind of software service.

So in short, if you are using SMS messages right now, you have to make sure that the recipient

is actually on a mobile network, not on a voice over IP system.

In the future, it sounds to me like systems like Google Authenticator, for example, are

still okay, but with systems like Google

Authenticator that provide pretty short identifiers you do need to make sure

that you prevent brute forcing NIST guidance typically applies to the federal

government but a lot of private industry standards are referring to NIST

...