• Skip to main content
  • Skip to secondary menu
  • Skip to primary sidebar
  • Skip to footer
  • Our Services
  • Contact Us
  • Newsletter
  • Top Nav Social Icons

Mobile ID World

Mobile ID World

Identification Revolution

  • Mobile ID
    • What Is Mobile ID?
    • Identity Associations
    • Premier Partners
    • FAQ
  • News
  • Solutions
    • Behavioral
    • Facial Recognition
    • Fingerprint Biometrics
    • Iris Biometrics
    • Second Factor
    • Smart Cards
    • Smartphones
    • Vital
    • Voice
    • Wearable Tech
    • Other
  • Applications
    • Access Control
    • Cloud Technology
    • Commerce
    • Enterprise
    • Healthcare
    • Identification
    • Internet of Things
    • Law Enforcement
    • Strong Online Authentication
  • Exclusive
    • Interviews
    • Featured Articles
    • Podcasts
  • Companies
  • Events

SMS Okay for 2FA Today, But Maybe Not Tomorrow: NIST

August 11, 2016

The National Institute of Standards and Technology (NIST) is clarifying its stance on SMS as a second authentication factor after calling it ‘deprecated’ in the public draft of its Digital Authentication Guideline. Having invited public comment, the organization evidently received a lot of feedback on this point, and it’s now seeking to ensure that stakeholders and other interested parties understand the matter clearly with a new blog post by Paul Grassi.

SMS Okay for 2FA Today, But Maybe Not Tomorrow: NISTWhile the organization agrees that “truly tying authentication to a physical device makes a real difference” in security, the issue with SMS authentication is that it isn’t always possible to tell whether a text is going to a physical phone or a computer, since messages can be sent as iMessages, Skype messages, and so on. NIST is advocating for federal agencies to verify that phone numbers are actually linked to physical phones, but right now such regulation isn’t in place.

Even when it can be verified that an SMS is being sent to a physical device, Grassi says that “security researchers have demonstrated the increasing success (read: lower cost in time and effort and higher success rates) of redirecting or intercepting SMS messages en masse.” In other words, there’s substantial risk that a text can be intercepted even when a recipient’s device hasn’t been stolen.

Grassi clarifies that when the NIST says SMS as an out of band authenticator is ‘deprecated’, that doesn’t mean it’s obsolete, but rather that it shouldn’t remain an area of investment going forward. “We proposed a deprecation rather than a removal in hopes of increased efficacy for agencies’ investments in upgrading existing systems and building new ones,” Grassi explains. And in any case, the document is still just a draft, and the NIST really does want to meaningfully engage with public feedback, from individuals and organizations alike, so there’s still the possibility that this stance could change for the final version of the Digital Authentication Guideline.

Filed Under: Industry News

Related News & Articles

Cognixion Uses Eye Tracking to Help Ventilated Patients Communicate

‘IoT Shelf’ Retail Solution is a Product Display and Biometric POS

B-Secur’s HeartKey Algorithms Receive Official FDA Clearance

Primary Sidebar

Register For the Next Virtual Identity Summit

Register now!

Tweets

Sponsored Links

FACEPHI is a global leader in Facial Recognition technology and in Mobile Biometrics technologies. With a strong concentration in the financial sector, FacePhi's product is rapidly becoming a service used by banks all over the world. Its implementation doesn’t just save money, it is also a way to attract clients and build loyalty, while increasing the security of transactions for both the customer and the business. To learn more about FacePhi, visit https://www.facephi.com/en/

Recent Posts

  • Onfido Explains How UK Privacy Bill Is ‘Positive Step’ In Global Patchwork
  • Greek Ministry of Digital Governance Delivers On Mobile ID Promise
  • Poll Results Show Android Users’ Surprising Biometric Preferences
  • New UK Border Control Scheme to Require Selfies From EU Visitors
  • IDnow Provides Onboarding Tech for Maritime Employment Service

Footer

  • About Us
  • Company Directory
  • Advertise With Us
  • Contact Us
  • Privacy Policy
  • Terms of Use
  • Archives
  • CCPA: Do not sell my personal info.

Follow Us

Copyright © 2022 MobileIDWorld