NIST Recommends Deprecation Of SMS Two-Factor Authentication

The National Institute for Standards and Technology (NIST), a U.S. agency in charge of setting cryptography and security standards, proposed to deprecate SMS-based authentication for out of band (OOB) authenticators in its latest standards draft.

Out of band authentication is a form of two-factor authentication that requires another device to complete the authentication. This ensures that an attacker has to hack more than one type of device in order to get access to an account. However, even when using another device to get the SMS code, NIST believes SMS out of band authentication can no longer be considered as secure anymore.

Over the past few years, SMS-based two-factor authentication has gained popularity as the method of choice for two-step verification for various online services. That’s because everyone has a phone with SMS capabilities, and it’s also rather trivial to use. You just input your phone number in a service’s security settings, and then when you have to login, you need both your password and the code you automatically receive to your phone through SMS.

However, over the past couple of years, security researchers have also started sounding the alarm that phones can be easily intercepted, not just by intelligence agencies, but also common hackers, through the Signaling System Seven (SS7). This also exposes the SMS capability to the hackers, who could then send themselves your SMS code to gain access to your online accounts.

The NIST didn’t specify why it doesn’t trust SMS two-factor authentication anymore, but it did say that it’s going to deprecate it in favor of other options. Those options include using your smartphone with secure applications (such as Google Authenticator) that can generate out of band authentication codes, or other types of devices that can be used as out of band authentication (such as security keys, smart cards, and so on). If the cryptographic keys are stored on the device, then it should use trusted platform modules (TPMs), keychain storage, or trusted execution environments.

Lucian Armasu
Lucian Armasu is a Contributing Writer for Tom's Hardware US. He covers software news and the issues surrounding privacy and security.
  • m-p-3
    Looks like Twitter might eventually have to provide 2FA over something else than SMS only, like proper Google Authenticator support.
  • hpram99
    I'm in favor of this. SMS isn't the most reliable, and I may be in a foreign country without SMS. If I have to use my phone anyway, let me use a standard Time-based/HMAC-based token application. Google Authenticator is just one of the many TOTP apps available. I'm looking at you Valve, get rid of that stupid proprietary app that only works on Android so I can have my 2FA.
  • velocityg4
    I hate SMS authentication. First I don't want to give the company my phone number. Second sometimes the friggin code never shows or takes a half hour. I use always on private browsing so I have to authenticate every time on some sites. It is a huge pain.

    Companies need to have an option for those who want to always opt out of two factor authentication. My passwords are all randomized, rock solid and stored in an encrypted container with a practically impossible to break password. No one is going to figure it out in the first couple of tries before the account lockout kicks in.

    My big worry with two factor authentication is if I lose my phone. I am royally f*****.

    What would be better is if all logins allowed. Upper case, lower case, all symbol keys and fifty characters. Then allow second factor only for password resets.

    I guess I can see two factor if you are rich or have access to sensitive information at a large company. I just run a small business and don't have much money. No one is going to waste their time trying to break into my accounts. When they can focus on someone with far more financial resources who is completely inept with computers.
  • ubercake
    I'm all for making hackers put in extra effort. Keep the extra step. Most companies utilizing two-factor authentication give you the option to send the code to your cell phone or e-mail.

    I like the authenticators too, but you need a new app for every service.