In a recent draft on “Digital Authentication Guideline: Authentication and Lifecycle Management”, the National Institute of Standards and Technology of the United States (NIST) hints at a future ban of SMS-based Two-Factor Authentication (2FA).
2FA is one of the necessary things to have for those who are concerned about online privacy and data security. It is a method of confirming a user’s claimed identity by utilizing a combination of two different components. These components may be something that the user knows, something that the user possesses or something that is inseparable from the user.
A good example from everyday life is the withdrawing of money from a cash machine. Only the correct combination of a bank card (something that the user possesses) and a PIN (personal identification number, something that the user knows) allows the transaction to be carried out. 2FA is ineffective against modern threats, like ATM skimming, phishing, and malware etc. With regards to online 2FA, it usually takes the form of securing your account by requiring users to provide authentication from two devices, such as verifying your identity through receiving and sending SMS.
However, in the draft, the NIST argues that SMS-based 2FA is an insecure process because the user may not always be in possession of the phone number, and because in the case of VoIP connections, SMS messages may be intercepted and not delivered to the phone. The guideline recommends the usage of tokens and software cryptographic authenticators instead. Even biometrics authentication is considered safe, under one condition, “Biometrics SHALL be used with another authentication factor (something you know or something you have),” the guideline’s draft says.
“If the out of band verification is to be made using a SMS message on a public mobile telephone network, the verifier SHALL verify that the pre-registered telephone number being used is actually associated with a mobile network and not with a VoIP (or other software-based) service. It then sends the SMS message to the pre-registered telephone number. Changing the pre-registered telephone number SHALL NOT be possible without two-factor authentication at the time of the change. OOB using SMS is deprecated, and will no longer be allowed in future releases of this guidance.” the guideline reads, hinting at a future ban of SMS-based 2FA.