SMS Okay for 2FA Today, But Maybe Not Tomorrow: NIST

The National Institute of Standards and Technology (NIST) is clarifying its stance on SMS as a second authentication factor after calling it ‘deprecated’ in the public draft of its Digital Authentication Guideline. Having invited public comment, the organization evidently received a lot of feedback on this point, and it’s now seeking to ensure that stakeholders and other interested parties understand the matter clearly with a new blog post by Paul Grassi.

SMS Okay for 2FA Today, But Maybe Not Tomorrow: NISTWhile the organization agrees that “truly tying authentication to a physical device makes a real difference” in security, the issue with SMS authentication is that it isn’t always possible to tell whether a text is going to a physical phone or a computer, since messages can be sent as iMessages, Skype messages, and so on. NIST is advocating for federal agencies to verify that phone numbers are actually linked to physical phones, but right now such regulation isn’t in place.

Even when it can be verified that an SMS is being sent to a physical device, Grassi says that “security researchers have demonstrated the increasing success (read: lower cost in time and effort and higher success rates) of redirecting or intercepting SMS messages en masse.” In other words, there’s substantial risk that a text can be intercepted even when a recipient’s device hasn’t been stolen.

Grassi clarifies that when the NIST says SMS as an out of band authenticator is ‘deprecated’, that doesn’t mean it’s obsolete, but rather that it shouldn’t remain an area of investment going forward. “We proposed a deprecation rather than a removal in hopes of increased efficacy for agencies’ investments in upgrading existing systems and building new ones,” Grassi explains. And in any case, the document is still just a draft, and the NIST really does want to meaningfully engage with public feedback, from individuals and organizations alike, so there’s still the possibility that this stance could change for the final version of the Digital Authentication Guideline.