According to the National Institute of Standards and Technology (NIST), two-factor Authentication through SMS may no longer be secure.
In their public preview of the Digital Authentication Guidelines released earlier this week, NIST hints that the days of SMS as a secure 2nd factor of authentication may be over. It's important to note the preliminary draft is a work in progress. You can provide feedback via GitHub, which could enhance the final guidelines later this summer. Find that here.
According to the Guideline draft, “using SMS is deprecated, and will no longer be allowed in future releases of this guidance.” Although NIST doesn’t come out and say why this statement was made, they shine a spotlight on more “secure” Authentication methods.
What does this all mean? Here's my take.
SMS-based two-factor Authentication can be vulnerable and a potential weak link in the authentication process because the phone may not always be in possession of the owner (or the phone number). Many phone users also have their SMS messages display on their home screen, event when it is locked. This means that a potential hacker could and would be able to authenticate just by viewing your phone (You can change this setting for iPhones here). What's more, it's nearly impossible to verify if the person who received the two-factor authentication code is even the right person.
Michael Thelander, iovation's Authentication Product Marketing Manager, echoes the point:
"This is an expected and smart move from NIST. Security professionals have known for some time that SMS codes can be one of the the weakest links in authorization chains, and this forces government agencies to stop leaning on the 'easiest' solution."
Does this mean that Biometrics is the answer? Potentially. It could also be other two-factor systems that are more secure.
Either way, there's no need to panic. SMS two-factor authentication is still relatively secure, from a consumer standpoint, as many companies are actively using it or are just now hopping on the SMS bandwagon. Still, the use of SMS text as a 2nd factor of authentication could become a thing of the past sooner than you might think.
Or as Michael puts it:
"This may not affect civilian systems immediately, but it represents an industry focus on advancing and refining authentication methods."
One thing is certain: As the hackers get smarter, so will the technologists. It will be eye-opening to see where this leads us 6-12 months down the road, and what feedback NIST receives this summer. You can view the full draft of the Digital Authentication Guidelines here.
To learn more about how iovation can help with your authentication needs, start by watching our webinar, The Pitfalls and Promises of Authentication in the IoT, and download our Multi-factor Authentication solution brief.