SMS Okay for 2FA Today, But Maybe Not Tomorrow: NIST

Posted on August 11, 2016 by

The National Institute of Standards and Technology (NIST) is clarifying its stance on SMS as a second authentication factor after calling it ‘deprecated’ in the public draft of its Digital Authentication Guideline. Having invited public comment, the organization evidently received a lot of feedback on this point, and it’s now seeking to ensure that stakeholders and other interested parties understand the matter clearly with a new blog post by Paul Grassi.

SMS Okay for 2FA Today, But Maybe Not Tomorrow: NISTWhile the organization agrees that “truly tying authentication to a physical device makes a real difference” in security, the issue with SMS authentication is that it isn’t always possible to tell whether a text is going to a physical phone or a computer, since messages can be sent as iMessages, Skype messages, and so on. NIST is advocating for federal agencies to verify that phone numbers are actually linked to physical phones, but right now such regulation isn’t in place.

Even when it can be verified that an SMS is being sent to a physical device, Grassi says that “security researchers have demonstrated the increasing success (read: lower cost in time and effort and higher success rates) of redirecting or intercepting SMS messages en masse.” In other words, there’s substantial risk that a text can be intercepted even when a recipient’s device hasn’t been stolen.

Grassi clarifies that when the NIST says SMS as an out of band authenticator is ‘deprecated’, that doesn’t mean it’s obsolete, but rather that it shouldn’t remain an area of investment going forward. “We proposed a deprecation rather than a removal in hopes of increased efficacy for agencies’ investments in upgrading existing systems and building new ones,” Grassi explains. And in any case, the document is still just a draft, and the NIST really does want to meaningfully engage with public feedback, from individuals and organizations alike, so there’s still the possibility that this stance could change for the final version of the Digital Authentication Guideline.

Related Posts
Biometrics Study Found Reduced Hospitalization, Costs: AMC Health Biometrics Study Found Reduced Hospitalization, Costs: AMC Health
Samsung Patent Shows Iris Scanning Headset, Finger Scanning Wristband Samsung Patent Shows Iris Scanning Headset, Finger Scanning Wristband
5G, AI, IoT to be Key Topics at MWC19 5G, AI, IoT to be Key Topics at MWC19
Synaptics Announces New Touch Controllers for Cars Synaptics Announces New Touch Controllers for Cars
UNICEF to Explore How Wearables Can Help Mothers, Children in Need UNICEF to Explore How Wearables Can Help Mothers, Children in Need
FIDO Urges NIST to Add Multi-Factor Security Requirement to Cybersecurity Framework Update FIDO Urges NIST to Add Multi-Factor Security Requirement to Cybersecurity Framework Update
World Cup Analysis from Visa Shows Consumer Shift to Contactless Payments World Cup Analysis from Visa Shows Consumer Shift to Contactless Payments
Facebook Wins Face Biometrics Lawsuit Facebook Wins Face Biometrics Lawsuit