SMS Okay for 2FA Today, But Maybe Not Tomorrow: NIST

Posted on August 11, 2016 by

The National Institute of Standards and Technology (NIST) is clarifying its stance on SMS as a second authentication factor after calling it ‘deprecated’ in the public draft of its Digital Authentication Guideline. Having invited public comment, the organization evidently received a lot of feedback on this point, and it’s now seeking to ensure that stakeholders and other interested parties understand the matter clearly with a new blog post by Paul Grassi.

SMS Okay for 2FA Today, But Maybe Not Tomorrow: NISTWhile the organization agrees that “truly tying authentication to a physical device makes a real difference” in security, the issue with SMS authentication is that it isn’t always possible to tell whether a text is going to a physical phone or a computer, since messages can be sent as iMessages, Skype messages, and so on. NIST is advocating for federal agencies to verify that phone numbers are actually linked to physical phones, but right now such regulation isn’t in place.

Even when it can be verified that an SMS is being sent to a physical device, Grassi says that “security researchers have demonstrated the increasing success (read: lower cost in time and effort and higher success rates) of redirecting or intercepting SMS messages en masse.” In other words, there’s substantial risk that a text can be intercepted even when a recipient’s device hasn’t been stolen.

Grassi clarifies that when the NIST says SMS as an out of band authenticator is ‘deprecated’, that doesn’t mean it’s obsolete, but rather that it shouldn’t remain an area of investment going forward. “We proposed a deprecation rather than a removal in hopes of increased efficacy for agencies’ investments in upgrading existing systems and building new ones,” Grassi explains. And in any case, the document is still just a draft, and the NIST really does want to meaningfully engage with public feedback, from individuals and organizations alike, so there’s still the possibility that this stance could change for the final version of the Digital Authentication Guideline.

Related Posts
New Partnership to Bring AI-Driven Voice Interaction to More Vehicles New Partnership to Bring AI-Driven Voice Interaction to More Vehicles
Apple Pay Lets Concertgoers Order Drinks from the Dance Floor Apple Pay Lets Concertgoers Order Drinks from the Dance Floor
Low-Power, Rugged Voice Activation System Could Let Devices ‘Run for Years’ Low-Power, Rugged Voice Activation System Could Let Devices ‘Run for Years’
Apple Highlights Hi-Res Video, Biometrics in New iPhone Ads Apple Highlights Hi-Res Video, Biometrics in New iPhone Ads
Zwipe Announces Big New Private Placement Zwipe Announces Big New Private Placement
BIO-key’s Official Q4 2017 Update Coming March 29 BIO-key’s Official Q4 2017 Update Coming March 29
Ipsidy Launches Proof App, Combining Selfie Authentication and Gov’t ID Ipsidy Launches Proof App, Combining Selfie Authentication and Gov’t ID
Yann Delabrière Named Chairman of IDEMIA’s Supervisory Board Yann Delabrière Named Chairman of IDEMIA’s Supervisory Board