NIST Recommends SMS Two-Factor Authentication Deprecation

The U.S. National Institute for Standards and Technology (NIST) said SMS-based two factor authentication would soon be deprecated.

A U.S. government agency said the end is nigh for SMS-based two-factor authentication, citing a lack of security around the feature.

The latest draft version of the Digital Authentication Guideline issued this week by the U.S. National Institute for Standards and Technology (NIST) said the practice would soon be discouraged.

The Digital Authentication Guideline sets the rules that all authentication software eventually follows.

Acknowledging there’s a risk that SMS messages can be intercepted or redirected, NIST is encouraging any service considering adopting two-factor authentication in the future to “consider alternative authenticators.”

In the document, NIST claims that services need to verify the phone number it sends codes to belongs to a legitimate network and not a VoIP service, before stating the method may be discouraged in future releases.

“If the out of band verification is to be made using a SMS message on a public mobile telephone network, the verifier SHALL verify that the pre-registered telephone number being used is actually associated with a mobile network and not with a VoIP (or other software-based) service.”

“Changing the pre-registered telephone number SHALL NOT be possible without two-factor authentication at the time of the change. OOB using SMS is deprecated, and may no longer be allowed in future releases of this guidance,” the document reads.

The document does support biometrics, at least in limited use, for authentication. As long as biometrics is used alongside another authentication factor, it’s permissible, NIST claims. Biometric authentication on its own can have false match rates, can be spoofed, and “do not provide confidence in the authentication of the subscriber by themselves.”

NIST has stressed the document is a public preview, meaning the processes aren’t in play yet and are still subject to comment. NIST will seek comments for roughly two weeks and follow it up by a 2-3 week period for editors to review those comments.

The agency is seeking comment on SP 800-63-3 via GitHub. While the platform may seem like an unorthodox choice, NIST said it considers the site a robust forum for drafting the document and is encouraging substantive technical and procedural comments. NIST first called on the public to help the agency map out the guideline when it previewed it on GitHub initially, in May.

Several services have already begun moving away from two-factor authentication. Facebook uses something called Code Generator as part of its login approvals feature. When a user turns it on, they’re asked for a special security code, which changes every thirty seconds, upon logging in. Google has a similar function, Google Authenticator, that supplies users with a six- to eight-digit one-time password. Companies such as Authy and Duo specialize in solutions as well.

Two-factor authentication has become almost ubiquitous over the last several years. The functionality, which allows services to send users a code to enter, along with a password, as an added layer of security has been adopted across multiple industries. Companies such as Apple, Dropbox, Snapchat, Evernote, and Twitter have adopted two-factor authentication to combat account takeovers and compromises.

Still, 2FA is no silver bullet; attackers and researchers alike have poked holes in the method, mainly via man in the middle attacks. Two years ago, researchers from Duo found a way to bypass the mechanism used in PayPal and transfer money from a victim’s account to any recipient they chose. Vulnerabilities have also surfaced in plugins offered by WordPress, Google, and Instagram that enabled hackers to bypass two-factor authentication.

Suggested articles


  • Craig Schiller on

    Chris, this article needs to be re-written. One, the statement about deprecation only applies to two factor authentication using SMS technology. Two, " (NIST) said the practice would soon be discouraged." is not true. The document is the C draft of the guidance document and the recommendation did not appear in the previous versions. One comment already received says that deprecation is too severe because two factor using SMS is stronger than basic userid and password even considering the weakness. More likely, the guide will include compensating factors for use when using 2FA with SMS or will recommend it for systems that do not include regulated information (PII, PHI, etc).
  • Jon Austin on

    My experience has been that Facebook's 2FA, Login Approval, can only be turned on by providing a mobile number. An SMS code is always sent. The secondary code generator is really only an aid if you have no cell service or don't have your phone to receive the SMS. When the service was first introduced, it was not necessary to register a mobile and a code-generator-only setup was possible. At some point, however, the mobile registration was made a requirement to turn on 2FA with no option to turn off the SMS and use the code-generator exclusively.
  • Andy Keller on

    This is also a little misleading: "Several services have already begun moving away from two-factor authentication." They're moving away, perhaps, from SMS as the 2nd factor, but utilizing a one-time code (OOTP) like via Google Authenticator is still 2FA.
  • Anonymous on

    What is OOB? Please define your acronyms whenever possible.
  • JohnnyH8 on

    It doesn't matter. SMS is a technically broken and indefensible protocol. When you can add hyperlinks that do more than just link to an innocuous website, we have a problem. There is not an application layer firewall for cellphones and the telephony industry, among other professional associations, is unresponsive to security, only bent towards bandwidth and QoS. The only real immediate fix for SMS/MMS is a client that allows you to strip links and media out... text only. If I only had a cellphone that could whitelist my SMS reception. Exactly, plain stupid simple. Do all you want with the verify, but understand what the client is seeing in malware.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.