juanjo tugores - Fotolia

Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

Is a no-SMS 2FA policy a good idea for enterprises?

Now that NIST has deprecated the use of SMS 2FA, should nongovernment organizations follow suit? Expert Mike Chapple discusses the risks of SMS-based 2FA to enterprises.

In a public preview, NIST announced its plans to deprecate the use of SMS-based two-factor authentication because it introduces too many security risks. Is this an appropriate change? Should other organizations follow suit and adopt no-SMS 2FA as a best practice?

By deprecating the use of SMS-based two-factor authentication (2FA), the National Institute of Standards and Technology (NIST) is indeed making a very appropriate change to its guidelines for digital authentication. These guidelines, recently released in the draft of NIST Special Publication 800-63B, prepare organizations for a future without this technology.

SMS 2FA is used as additional, out-of-band authentication after a user performs initial authentication on a system or service by entering a username and password. A text message, or SMS, is then sent to the user's cellphone with a code that the user must enter into the system to complete the authentication process. The cellphone communication uses a different out-of-band channel, compared with the one for the initial username and password.

However, this text message authentication method has an inherent weakness. Sent as a lock-screen notification, the code is often readable without needing to unlock the phone screen or enter a further security code. Additionally, if the user sends the code to a voice over IP number, an attacker may be able to eavesdrop on the network communication or even reroute the SMS to another device by compromising the user's VoIP account.

NIST is not currently saying SMS 2FA is inappropriate, but they are putting organizations on notice that future versions of NIST guidelines and standards may not allow the use of SMS 2FA. Current users of SMS 2FA must verify the phone number to which the text message is sent corresponds to a direct connection to a cellphone number on a public mobile telephone network and not a VoIP service.

While NIST can only make its standards mandatory for U.S. government organizations and contractors, a no-SMS 2FA policy is a good security practice that organizations around the world should plan to adopt.

Ask the Expert:
Got a vexing problem for Mike Chapple or any of our other experts? Ask your enterprise-specific questions today. (All questions are anonymous.)

Next Steps

Learn why mobile 2FA is better than biometrics

Check out the answers to FAQ about mobile authentication

Find out how to use hashcat to address authentication vulnerabilities

This was last published in November 2016

Dig Deeper on Two-factor and multifactor authentication strategies