NIST Says SMS-Based Two-Factor Authentication Isn't Secure
Updated guidelines from the National Institute of Standards and Technology say SMS-based two-factor authentication should be banned.While Google has encouraged users to enable two-step authentication within Google Apps, to add "an extra layer of security," the U.S. National Institute of Standards and Technology updated it Digital Authentication Guidelines (DAG) July 27 and now reports that two-factor verification over SMS isn't secure and should be banned. The relevant paragraph, first spotted by Hacker News, states:
"If the out-of-band verification is to be made using an SMS message on a public mobile telephone network, the verifier SHALL verify that the pre-registered telephone number being used is actually associated with a mobile network and not with a VoIP (or other software-based) service. It then sends the SMS message to the pre-registered telephone number. Changing the pre-registered telephone number SHALL NOT be possible without two-factor authentication at the time of the change. OOB [out-of-band verification] using SMS is deprecated, and will no longer be allowed in future releases of this guidance."NIST does approve, however, of authentication via multifactor (MF) one-time passwords (OTP), where the second authentication factor is biometric, like a fingerprint, or input with an entry pad or interface, as through a USB port. "The one-time password is typically displayed on the device and manually input to the verifier, although direct electronic output from the device as input to a computer is also allowed," the DAG explains. "For example, a one-time password device may display 6 characters at a time. The MF OTP device is something you have, and it may be activated by either something you know or something you are."