NIST Abandons SMS-based Two-factor Authentication

Locked-Password-Phone1.jpgThe National Institute of Standards and Technology (NIST), the US body that governs technology standards, has said that SMS-based two-factor authentication, where a text message is sent to confirm a users identify, has become “deprecated” and should no longer be used to security purposes.

NIST is in charge of creating national-level guidelines and rules for measurements, including those that apply to secure electronic communications. According to a new set of publications, the body is updating its recommendations for a host of authentication and security issues, and SMS-based two-factor systems are no longer considered secure.

The documents are still undergoing a public draft process where the agency receives feedback from industry figures, developers and security experts, but one of the core updates is that the body is now actively discouraging the use of SMS as an out of band authenticator – the technical term for a method of delivering a one-time code that can be used for two-factor authentication.

Two-factor authentication has become an increasingly popular method of protecting online accounts, with companies including PayPal, Google and Microsoft offering it as a way of ensuring only authorised users access information.

However, NIST now considered SMS-based systems that virtualise phone numbers a poor way to carrying out this process, with the risk of exposure or tampering considered too great.

“While the continued use of SMS for two-factor authentication does indeed face some challenges, it is impossible to ignore the many benefits it offers to securing and protecting user accounts” said Kevin Panzavecchia, chief technical officer of mobile network security firm Haud. “No other platform has the same level of ubiquity, and for software architects that wish to implement two-factor systems that are both secure and accessible, it is still the clear front runner.

“The challenges facing SMS two-factor authentication are not insurmountable, and MNOs have a role to play in ensuring their networks are secure for vast array of applications currently by their subscribers, including this type of traffic. By implementing a mobile network firewall that can filter and protect against misuse of Category 1, 2, and 3 SS7 traffic, MNOs can make sure that their networks remain safe for the transfer of sensitive information via SMS.”

Don’t forget to enter the Effective Mobile Marketing Awards. The final deadline for submissions is 5 August. More details here.