Standards body warns against SMS for 2FA

US technology standards body the National Institute of Standards and Technology (NIST) has advised against using SMS in two-factor authentication (2FA) systems.

The institute’s latest Digital Authentication Guideline notes that the use of SMS for out-of-band verification is becoming obsolete “due to the risk that SMS messages may be intercepted or redirected”.

The guidelines call on implementers of new systems to “carefully consider alternative authenticators” and notes that that future releases of the guidelines may disallow the use of SMS for verification altogether.

If SMS is to be implemented in new verification systems, the guidelines assert that mechanisms are needed to verify that pre-registered numbers being used are actually associated with a mobile network, and not with VoIP or other software-based network implementations.

The systems should also require two-factor authentication before a pre-registered number can be changed.

But Kevin Panzavecchia, CTO of mobile network security company HAUD, commented that despite recent high-profile mobile network hacks, the benefits of using SMS for authentication still outweigh the negatives.

“While the continued use of SMS for 2FA does indeed face some challenges, it is impossible to ignore the many benefits it offers to securing and protecting user accounts. No other platform has the same level of ubiquity, and for software architects that wish to implement 2FA systems that are both secure and accessible, it is still the clear frontrunner,” he said.

“The challenges facing SMS 2FA are not insurmountable, and mobile network operators have a role to play in ensuring their networks are secure for the vast array of applications currently used by their subscribers, including this type of traffic.”

Image courtesy of Jeff Warren under CC