SMS-Based Two-Factor Authentication May Soon Get Banned
The National Institute of Standards and Technology (NIST) is about to close the door on the use of the short-messaging-service (SMS) system as a secondary method of validation for services and apps looking to set up two-factor authentication.
NIST has been hard at work reviewing its Digital Authentication Guidelines, which is an extensive document that essentially outlines the rules that creators of authentication software must follow, and has taken the move to deprecate the use of SMS as a method of providing a secondary level of security against an account. It appears to be the belief of NIST that distributing that content via text message can no longer be classified as being secure enough.
Companies and service providers who offer two-factor authentication as a more robust measure of security against an account have long used SMS text messaging as a way of setting up that additional security. More often than not, it’s deemed to be a simple solution to add another layer of security on top of a basic password, with some of the largest companies in the world like Apple and Google implementing it, along with its own solutions such as being able to verify access through a secondary “trusted device” or via email.
The new guidelines totally discourage the use of SMS as an “out of band authenticator”, which basically means companies should be discouraged from using text messages as a means of delivering one-time use codes for two-factor authentication:
If the out of band verification is to be made using a SMS message on a public mobile telephone network, the verifier SHALL verify that the pre-registered telephone number being used is actually associated with a mobile network and not with a VoIP (or other software-based) service. It then sends the SMS message to the pre-registered telephone number. Changing the pre-registered telephone number SHALL NOT be possible without two-factor authentication at the time of the change. OOB using SMS is deprecated, and will no longer be allowed in future releases of this guidance.
The new guidelines may be extensive in the changes and recommendations, as you would expect from a document of this nature, but it seems that there is an underlying emphasis on ensuring that content is no longer sent via methods that could be deemed to be insecure, such as text message or even VoIP services, which have already been proved to be relatively easy to compromise.
It’ll be extremely interesting to see how companies respond to, and implement, the new guidelines going forward.