NIST Says SMS-Based Two-Factor Authentication Isn't Secure

Updated guidelines from the National Institute of Standards and Technology say SMS-based two-factor authentication should be banned.

two-factor authentication

While Google has encouraged users to enable two-step authentication within Google Apps, to add "an extra layer of security," the U.S. National Institute of Standards and Technology updated it Digital Authentication Guidelines (DAG) July 27 and now reports that two-factor verification over SMS isn't secure and should be banned.

The relevant paragraph, first spotted by Hacker News, states:

"If the out-of-band verification is to be made using an SMS message on a public mobile telephone network, the verifier SHALL verify that the pre-registered telephone number being used is actually associated with a mobile network and not with a VoIP (or other software-based) service. It then sends the SMS message to the pre-registered telephone number. Changing the pre-registered telephone number SHALL NOT be possible without two-factor authentication at the time of the change. OOB [out-of-band verification] using SMS is deprecated, and will no longer be allowed in future releases of this guidance."

NIST does approve, however, of authentication via multifactor (MF) one-time passwords (OTP), where the second authentication factor is biometric, like a fingerprint, or input with an entry pad or interface, as through a USB port.

"The one-time password is typically displayed on the device and manually input to the verifier, although direct electronic output from the device as input to a computer is also allowed," the DAG explains. "For example, a one-time password device may display 6 characters at a time. The MF OTP device is something you have, and it may be activated by either something you know or something you are."

The DAG adds that any biometric data derived from a biometric sample "SHALL be immediately erased from storage immediately after an authentication transaction has taken place." (Uppercasing and italics are NIST's.)

An SMS workaround is a solution like Google Prompt, which the company made widely available June 20. Rather than send an SMS with a six-digit code to type in, Prompt sends a push notification that a user simply taps to approve a log-in request. On Android devices, it's integrated into Google Now, and on iOS it's part of Google Search, though users need to download the Google Search app and sign in.

(Google notes that a data connection is required to use Prompt, and Prompt and Security Keys can't be enabled at the same time.)

Google began testing Prompt in December with a limited group of users, saying it wanted to curb phishing and other attacks based on the exploitation of passwords.

In recent years, SMS has been tied to a number of security issues. At the Black Hat Security Conference in 2013, a cryptographer at Security Research Labs used SMS to hack into a phone in just two minutes. And last year, a flaw in Android made nearly a billion phones vulnerable to a virus that could be sent via SMS, whether the recipient opened the message or not.

While there is no legal obligation to follow NIST guidelines, most major companies do.