Q
Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

Is a no-SMS 2FA policy a good idea for enterprises?

Now that NIST has deprecated the use of SMS 2FA, should nongovernment organizations follow suit? Expert Mike Chapple discusses the risks of SMS-based 2FA to enterprises.

In a public preview, NIST announced its plans to deprecate the use of SMS-based two-factor authentication because...

it introduces too many security risks. Is this an appropriate change? Should other organizations follow suit and adopt no-SMS 2FA as a best practice?

By deprecating the use of SMS-based two-factor authentication (2FA), the National Institute of Standards and Technology (NIST) is indeed making a very appropriate change to its guidelines for digital authentication. These guidelines, recently released in the draft of NIST Special Publication 800-63B, prepare organizations for a future without this technology.

SMS 2FA is used as additional, out-of-band authentication after a user performs initial authentication on a system or service by entering a username and password. A text message, or SMS, is then sent to the user's cellphone with a code that the user must enter into the system to complete the authentication process. The cellphone communication uses a different out-of-band channel, compared with the one for the initial username and password.

However, this text message authentication method has an inherent weakness. Sent as a lock-screen notification, the code is often readable without needing to unlock the phone screen or enter a further security code. Additionally, if the user sends the code to a voice over IP number, an attacker may be able to eavesdrop on the network communication or even reroute the SMS to another device by compromising the user's VoIP account.

NIST is not currently saying SMS 2FA is inappropriate, but they are putting organizations on notice that future versions of NIST guidelines and standards may not allow the use of SMS 2FA. Current users of SMS 2FA must verify the phone number to which the text message is sent corresponds to a direct connection to a cellphone number on a public mobile telephone network and not a VoIP service.

While NIST can only make its standards mandatory for U.S. government organizations and contractors, a no-SMS 2FA policy is a good security practice that organizations around the world should plan to adopt.

Ask the Expert:
Got a vexing problem for Mike Chapple or any of our other experts? Ask your enterprise-specific questions today. (All questions are anonymous.)

Next Steps

Learn why mobile 2FA is better than biometrics

Check out the answers to FAQ about mobile authentication

Find out how to use hashcat to address authentication vulnerabilities

This was last published in November 2016

Dig Deeper on Two-factor and multifactor authentication strategies

PRO+

Content

Find more PRO+ content and other member only offers, here.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Join the conversation

2 comments

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

Does your organization use SMS-based 2FA? Why or why not?
Cancel
What about the simple fact that the mobile network itself is completely insecure?  We have a broken SS7 linking all networks, worldwide -- the bad guys only need the software, that they have, and a mobile number; having both of those, they can see every SMS you send or receive and they can even listen in to your calls in real time.  And then we need to consider the Stingrays on top of that.  No, the mobile network is completely insecure without end-to-end encryption and even then the phones themselves might be compromised.
Cancel

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close