NIST deems SMS unsuitable for two-factor authentication

The US National Institute of Standards and Technology, or NIST, has indicated in a draft guideline that the use of SMS for authentication purposes is inappropriate. This method should therefore no longer be used in the future.

The so-called ‘Digital Authentication Guideline’ is a document that indicates how developers can build secure software and how governments and other organizations can assess the security of products, Softpedia reports. In a recent draft version of this guideline, the institute, which is responsible, among other things, for the standardization of encryption, discusses two-step authentication by means of SMS.

In the guideline, NIST writes that the use of SMS for out-of-band authentication has been abolished, or ‘deprecated’ in NIST’s words. This way of authentication would therefore no longer be allowed in the coming guidelines. In the current directive this is still possible, although it must be determined in advance during verification whether a telephone number is actually present on a mobile network and not offered by a VoIP service. This would entail too great a risk.

The institute itself does not discuss the risks, but according to Softpedia messages could be intercepted via VoIP services. The organization states that authentication applications for smartphones are the preferred choice for out-of-band authentication. There is also a channel for private communication, in addition to a second channel for authentication itself.

NIST does identify other risks of authentication methods, for example, a physical authenticator in the form of a telephone can be stolen. Duplication, phishing and social engineering are also examples of such risks. To combat these, NIST offers a number of solutions, such as multi-factor authentication in case of theft or dynamic outputs in case of phishing, whereby a code stolen once does not reveal future codes.