SMS Okay for 2FA Today, But Maybe Not Tomorrow: NIST

Posted on August 11, 2016 by

The National Institute of Standards and Technology (NIST) is clarifying its stance on SMS as a second authentication factor after calling it ‘deprecated’ in the public draft of its Digital Authentication Guideline. Having invited public comment, the organization evidently received a lot of feedback on this point, and it’s now seeking to ensure that stakeholders and other interested parties understand the matter clearly with a new blog post by Paul Grassi.

SMS Okay for 2FA Today, But Maybe Not Tomorrow: NISTWhile the organization agrees that “truly tying authentication to a physical device makes a real difference” in security, the issue with SMS authentication is that it isn’t always possible to tell whether a text is going to a physical phone or a computer, since messages can be sent as iMessages, Skype messages, and so on. NIST is advocating for federal agencies to verify that phone numbers are actually linked to physical phones, but right now such regulation isn’t in place.

Even when it can be verified that an SMS is being sent to a physical device, Grassi says that “security researchers have demonstrated the increasing success (read: lower cost in time and effort and higher success rates) of redirecting or intercepting SMS messages en masse.” In other words, there’s substantial risk that a text can be intercepted even when a recipient’s device hasn’t been stolen.

Grassi clarifies that when the NIST says SMS as an out of band authenticator is ‘deprecated’, that doesn’t mean it’s obsolete, but rather that it shouldn’t remain an area of investment going forward. “We proposed a deprecation rather than a removal in hopes of increased efficacy for agencies’ investments in upgrading existing systems and building new ones,” Grassi explains. And in any case, the document is still just a draft, and the NIST really does want to meaningfully engage with public feedback, from individuals and organizations alike, so there’s still the possibility that this stance could change for the final version of the Digital Authentication Guideline.

Related Posts
MasterCard to Discuss Biometrics at Money20/20 MasterCard to Discuss Biometrics at Money20/20
New Report Forecasts $30.5 Billion Market for Digital Identity Solutions New Report Forecasts $30.5 Billion Market for Digital Identity Solutions
Samsung Pay Launches in Singapore Amid Growing mPayment Enthusiasm Samsung Pay Launches in Singapore Amid Growing mPayment Enthusiasm
ImageWare Issues Q1 2018 Update ImageWare Issues Q1 2018 Update
IDEMIA to Provide Morocco with Biometric Citizen ID Cards IDEMIA to Provide Morocco with Biometric Citizen ID Cards
IXDen Launches MFA Platform for IoT Devices IXDen Launches MFA Platform for IoT Devices
Hilltop Appoints ‘White Hat’ Hacker as CISO Hilltop Appoints ‘White Hat’ Hacker as CISO
Baltimore Police Seek Help of VAMPIRE Baltimore Police Seek Help of VAMPIRE