In a public preview, NIST announced its plans to deprecate the use of SMS-based two-factor authentication because...
it introduces too many security risks. Is this an appropriate change? Should other organizations follow suit and adopt no-SMS 2FA as a best practice?
By deprecating the use of SMS-based two-factor authentication (2FA), the National Institute of Standards and Technology (NIST) is indeed making a very appropriate change to its guidelines for digital authentication. These guidelines, recently released in the draft of NIST Special Publication 800-63B, prepare organizations for a future without this technology.
SMS 2FA is used as additional, out-of-band authentication after a user performs initial authentication on a system or service by entering a username and password. A text message, or SMS, is then sent to the user's cellphone with a code that the user must enter into the system to complete the authentication process. The cellphone communication uses a different out-of-band channel, compared with the one for the initial username and password.
However, this text message authentication method has an inherent weakness. Sent as a lock-screen notification, the code is often readable without needing to unlock the phone screen or enter a further security code. Additionally, if the user sends the code to a voice over IP number, an attacker may be able to eavesdrop on the network communication or even reroute the SMS to another device by compromising the user's VoIP account.
NIST is not currently saying SMS 2FA is inappropriate, but they are putting organizations on notice that future versions of NIST guidelines and standards may not allow the use of SMS 2FA. Current users of SMS 2FA must verify the phone number to which the text message is sent corresponds to a direct connection to a cellphone number on a public mobile telephone network and not a VoIP service.
While NIST can only make its standards mandatory for U.S. government organizations and contractors, a no-SMS 2FA policy is a good security practice that organizations around the world should plan to adopt.
Ask the Expert:
Got a vexing problem for Mike Chapple or any of our other experts? Ask your enterprise-specific questions today. (All questions are anonymous.)
Learn why mobile 2FA is better than biometrics
Check out the answers to FAQ about mobile authentication
Find out how to use hashcat to address authentication vulnerabilities
Dig Deeper on Two-factor and multifactor authentication strategies
Related Q&A from Mike Chapple
It's not possible to eradicate the risk of DoS attacks, but there are steps infosec pros can take to reduce their impact. Mike Chapple shares ...continue reading
The HHS OCR ruled that healthcare ransomware attacks are HIPAA violations, so these covered entities need to react according to the HHS's guidance. ...continue reading
HIPAA regulations incorporate NIST guidelines and standards, so do healthcare organizations need to be compliant with both? Expert Mike Chapple ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.