Using SMS for two-factor authentication? It might be time to think again

SMS as a two-factor authentication method will soon be discouraged, according to draft guidelines from US standards body.
Written by Steve Ranger, Global News Director
Login screen

NIST is recommending new approaches to two-factor authentication. (Image: iStock)

The rise of two-factor authentication has made life much harder for hackers, as stealing a password alone is no longer enough to gain access to a system. With two-factor authentication in place, you need a second code to unlock the system, one that's usually sent to the user's smartphone. Hackers therefore need to lay their hands on that device too, making their task much more challenging.

Two-factor authentication has become widespread in recent years, not only on corporate systems but also for everyday consumer applications like email. Sending the second code via SMS is the most common implementation method.

Now, however, the National Institute of Standards and Technology (NIST) -- the US federal agency that develops technology standards -- is warning that the use of SMS will soon be discouraged.

In its draft Digital Authentication Guidelines, NIST advises how government agencies should identify users when they are accessing systems remotely. In particular, it sets out the dos-and-don'ts for what it calls Out-of-Band (OOB) authentication, where a secret code is sent to physical device owned and controlled by the individual -- like a smartphone -- to confirm their identity.

"OOB using SMS is deprecated, and will no longer be allowed in future releases of this guidance," said NIST in the draft document.

The guidelines don't go into detail, but downgrading SMS-based authentication is likely to result from concerns about the security of SMS transmissions and whether they can be intercepted.

NIST also added that if the verification is to be made using an SMS message sent on a public mobile telephone network, organisations need to check that the number being used is actually associated with a mobile network and not with a VoIP or other software-based service.

Private and uniquely addressable

It's not just SMS that's in the firing line: NIST said the two key requirements for an OOB authenticator are that the device be "uniquely addressable" and that communication over the secondary channel be private, noting: "Some voice-over-IP telephone services can deliver text messages and voice calls without the need for possession of a physical device; these shall not be used for out of band authentication."

It also warned that the ability to receive email messages or other types of instant message "does not generally prove the possession of a specific device", so these should not be used as out-of-band authentication methods either.

NIST said that two-factor authentication codes sent to smartphones should also not be displayed on the lockscreen of any device, although it's acceptable to indicate that a code has been received.

If SMS is considered old hat, then companies will likely switch to application-based authentication, as the draft noted: "Mechanisms such as smartphone applications employing secure communications protocols are preferred for out-of-band authentication."

There's also the option of biometrics, but the draft said it recommended "only limited use of biometrics for authentication" because the level of biometric false match rates (FMR) and false non-match rates (FNMR) "do not provide confidence in the authentication of the subscriber by themselves". In addition, FMR and FNMR do not account for spoofing attacks.

NIST also noted that biometric characteristics "do not constitute secrets". "They can be obtained online or by taking a picture of someone with a camera phone (eg facial images) with or without their knowledge, lifted from objects someone touches (eg, latent fingerprints), or captured with high resolution images (eg, iris patterns for blue eyes)," it said.

Read more

Editorial standards