Standards body warns against SMS for 2FA


By Dylan Bushell-Embling
Wednesday, 27 July, 2016


Standards body warns against SMS for 2FA

US technology standards body the National Institute of Standards and Technology (NIST) has advised against using SMS in two-factor authentication (2FA) systems.

The institute’s latest Digital Authentication Guideline notes that the use of SMS for out-of-band verification is becoming obsolete “due to the risk that SMS messages may be intercepted or redirected”.

The guidelines call on implementers of new systems to “carefully consider alternative authenticators” and notes that that future releases of the guidelines may disallow the use of SMS for verification altogether.

If SMS is to be implemented in new verification systems, the guidelines assert that mechanisms are needed to verify that pre-registered numbers being used are actually associated with a mobile network, and not with VoIP or other software-based network implementations.

The systems should also require two-factor authentication before a pre-registered number can be changed.

But Kevin Panzavecchia, CTO of mobile network security company HAUD, commented that despite recent high-profile mobile network hacks, the benefits of using SMS for authentication still outweigh the negatives.

“While the continued use of SMS for 2FA does indeed face some challenges, it is impossible to ignore the many benefits it offers to securing and protecting user accounts. No other platform has the same level of ubiquity, and for software architects that wish to implement 2FA systems that are both secure and accessible, it is still the clear frontrunner,” he said.

“The challenges facing SMS 2FA are not insurmountable, and mobile network operators have a role to play in ensuring their networks are secure for the vast array of applications currently used by their subscribers, including this type of traffic.”

Image courtesy of Jeff Warren under CC

Related Articles

Strategies for navigating Java vulnerabilities

Java remains a robust and widely adopted platform for enterprise applications, but staying ahead...

Not all cyber risk is created equal

The key to mitigating cyber exposure lies in preventing breaches before they happen.

How AI can help businesses manage their cyber risks

Artificial intelligence can be a powerful ally in the fight against cyberthreats.


  • All content Copyright © 2024 Westwick-Farrow Pty Ltd