DOC RABE Media - Fotolia

News Stay informed about the latest enterprise technology news and product updates.

Experts say NIST deprecating SMS 2FA is long overdue

America's National Institute for Standards and Technology is advising the deprecation of using SMS-based two-factor authentication in order to improve security.

The U.S. National Institute of Standards and Technology plans to deprecate the use of SMS-based two-factor authentication, and experts said the change was long overdue.

NIST released a public preview draft of its Digital Authentication Guideline, in which section stated, if two-factor authentication (2FA) must be done via SMS, the verifier must "verify that the preregistered telephone number being used is actually associated with a mobile network, and not with a VoIP (or other software-based) service," but "[out of band] using SMS is deprecated, and will no longer be allowed in future releases of this guidance."

NIST called this release a public preview, so it can post the documents on GitHub and solicit comments on the guidelines and changes, including those to SMS 2FA.

Experts generally said SMS 2FA has survived as long as it has because consumers tend to choose convenience over security when it comes to authentication. SMS 2FA is the easiest method of authentication, but it introduces risks, including someone simply reading the 2FA code from a lock-screen notification. Experts said alternative authentication methods, such as tokens and on-device authentication apps, will provide better security, but they can be more complex to set up and more costly to implement.

Damien Hugoo, director of product management at cybersecurity vendor Easy Solutions Inc., based in Doral, Fla., said these guidelines make sense and are long overdue.

"There have been numerous attacks that have been reported where SMS gets hijacked by malware on the end-user device, like Eurograbber. Australian Telco even in 2012 had declared SMS unsafe for banking transactions," Hugoo told SearchSecurity. "U.S. agencies like FFIEC [Federal Financial Institutions Examination Council] in the past have not clearly made a strong move against SMS 2FA, leaning more on the safe side by recommending a multilayer approach. This is finally a clear message to move away from SMS; this is a big deal."

Bill Supernor, CTO for messaging security firm KoolSpan, based in Bethesda, Md., also said the deprecation was long overdue in the NIST guidelines because of the security threats posed by SMS 2FA.

"The biggest risk is that a hostile party can perform a targeted man-in-the-middle attack by observing any SMS-based authentication, and/or generating their own authentication requests and redirecting them," Supernor told SearchSecurity via email. "In essence, this means that the attacker can see the verification codes that are being texted to you. For example, an attacker can invoke a password reset for your bank account and redirect the SMS-based verification to a phone number of their choosing."

The new NIST guidelines attempted to mitigate this risk by stating, "Changing the preregistered telephone number SHALL NOT be possible without two-factor authentication at the time of the change."

NIST guideline reach

Experts said, while NIST guidelines may be intended primarily for use within the U.S. federal government, they often end up having a much broader reach.

Luther Martin, distinguished technologist for Hewlett Packard Enterprise Security, said NIST standards often become the "de facto standards for the whole world."

"The U.S. government's Security Standards for Cryptographic Modules is probably the best example of this, where the corresponding ISO standard, as well as the corresponding standards for other countries, are essentially just copies or translations of the NIST standard," Martin told SearchSecurity. "Since NIST is moving to restrict the use of SMS for authentication, it is probably very significant and will most likely have significant impact on organizations and enterprises beyond the U.S. federal government."

Supernor noted these changes could have far-reaching effects, because "NIST is quite influential, even beyond the purview of the government market."

"Typically, NIST provides recommendations that are well-thought-out, and it is a good idea to follow them, even if one is not required to do so. If a commercial organization does not follow NIST's standards or recommendations, then they are going out on thin ice," Supernor said. "For example, if a bank suffers a major loss due to fraud that used SMS-based account verification, then its insurance provider could make a case for the bank not following appropriate practices."

Hugoo said NIST guidelines often translate to financial institutions and healthcare.

"Financial institutions in the U.S. follow FFIEC guidelines in terms of authentication, but the healthcare industry and others often follow NIST -- it's stated in their HIPAA regulation," Hugoo said. "Echoing NIST's warning on SMS, FFIEC recently updated its Retail Payment Services Handbook with an appendix on mobile financial services warning about using SMS. I expect FFIEC will update its overall guidance soon enough to reflect the latest NIST advisory."

Tom Gorup, security operations leader for Rook Security Inc., based in Indianapolis, said, "NIST does a great job of identifying basics security practices; however, at times, they can be quite cumbersome for organizations to take on single-handedly. NIST guidelines are certainly a set of guidelines companies can use as a launching point."

Next Steps

Learn more about how the NIST Cybersecurity Framework is being received.

Find out the difference between two-step verification and 2FA.

Get info on the ID proofing system NIST wants to build.

Dig Deeper on Two-factor and multifactor authentication strategies

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

What policies does your enterprise have surrounding SMS 2FA?
Does this deprecation apply to the SMS push verification question, where a Y/N reply is required?  I would think the answer is "Yes".

We offer these types of SMS verification as part of our solution set and will be making adjustments to augment this convenient use case by attaching an embedded FIDO key to the response or advising use of an in-app feature that can make use of a provisioned FIDO key in the response.

More reason to consider FIDO authentication where the one-time passwords are encrypted and can be sent by the user to their mobile phone or computer wirelessly (NFC/BLE) or over USB.  
There are a variety of FIDO Key form factors ranging from mini-fobs to biometric wristbands (Electro-cardiogram) and headsets (voice) to in-phone soft tokens released by voice or fingerprint matching.  This allows the consumer to choose what is "convenient" to them.

The FIDO standard is gaining momentum and should be seriously considered by the financial industry where there is resistance to hard tokens as well as a resistance to market security to its customers. With FIDO, the customer can "bring their own security" so the banks don't have to stock and provide SMS codes, keyfobs or OTP cards. Banks could have a much more significant impact on the reduction of fraud and the adoption of stronger security for consumers if they would change their anti-security marketing position and promote MFA to consumers. The solutions to prevent fraud (rather than detect and chase it) are available. They just need to be offered to consumers with a more direct awareness program.

Take a look at my recent blog on the NIST SMS A2P proposed deprecation. I explore the options and recommend a practical way forward. These the proposed guidelines may lead to 72% of Americans not adopting 2FA at all.

@Rob, I read your blog. Great analysis and response. I agree and support your recommendations.  SMS Text OTP IS the most convenient 2FA method for the most people and will be for some time until some other more convenient method becomes available.

I hope FIDO continue to gain momentum through the deployments of its globally recognized members. It would still need to be promoted/marketed to make people (the 79.1%) aware of its availability. 

For the other 21%, 2FA SMS or the Y/N response variation will have to be the alternative.

Personally, I like using my Virtual FIDO Key for Mobile where I simply touch the fingerprint sensor or tap my phone with my NFC/BLE keyfob. No password, no code to key in.

Thanks for the insight.