The National Institute for Standards and Technology (NIST), a U.S. agency in charge of setting cryptography and security standards, proposed to deprecate SMS-based authentication for out of band (OOB) authenticators in its latest standards draft.
Out of band authentication is a form of two-factor authentication that requires another device to complete the authentication. This ensures that an attacker has to hack more than one type of device in order to get access to an account. However, even when using another device to get the SMS code, NIST believes SMS out of band authentication can no longer be considered as secure anymore.
Over the past few years, SMS-based two-factor authentication has gained popularity as the method of choice for two-step verification for various online services. That’s because everyone has a phone with SMS capabilities, and it’s also rather trivial to use. You just input your phone number in a service’s security settings, and then when you have to login, you need both your password and the code you automatically receive to your phone through SMS.
However, over the past couple of years, security researchers have also started sounding the alarm that phones can be easily intercepted, not just by intelligence agencies, but also common hackers, through the Signaling System Seven (SS7). This also exposes the SMS capability to the hackers, who could then send themselves your SMS code to gain access to your online accounts.
The NIST didn’t specify why it doesn’t trust SMS two-factor authentication anymore, but it did say that it’s going to deprecate it in favor of other options. Those options include using your smartphone with secure applications (such as Google Authenticator) that can generate out of band authentication codes, or other types of devices that can be used as out of band authentication (such as security keys, smart cards, and so on). If the cryptographic keys are stored on the device, then it should use trusted platform modules (TPMs), keychain storage, or trusted execution environments.