NIST clarifies its stand on SMS in relation to two-factor authentication

Time and again media companies have proved that they could be the worst when it comes to spreading half-truths and they have done it again and this time it was NIST who was the target.

The National Institute of Standards and Technology put out a draft Special Publication 800-63-3: Digital Authentication Guideline. In the document the standards organization proposed deprecation of SMS as an out-of-band second authentication factor. However, this isn’t what the media interpreted it as and instead went about creating a whole new meaning stating that NIST was out to kill SMS as one of the methods for two-factor authentication.

Soon after the word spread out that its draft proposal has been taken as an SMS killer in the world of two-factor authentication, NIST jumped in and has put out a clarification. In a blog post NIST says that it is only proposing deprecation and not outright cull.

Drawing attention to one of the scenarios – SMS over VoIP – NIST said that it doesn’t want the authentication code ending up in someone’s messenger app like Skype or Google Voice. NIST says that it is proposing that federal agencies first verify that the phone number is truly attached to mobile phone.

“If not (and the user happens to protect her or his VoIP account with a password), the user might now be protecting sensitive personal information with two passwords—that’s two of one factor type (two of ‘something you know’) rather than actual two factor authentication (‘something you know’ and ‘something you have’). So we felt we had to propose ruling VoIP out”, the NIST blog explains.

In the second scenario where the number to which the SMS is being sent out is truly attached to a mobile phone, NIST draws our attention to an independent research wherein it has been shown that redirecting and intercepting SMS messages has become pretty easy and can be operated at scale. This effectively means that SMS as a factor for authentication doesn’t hold the strength it once had.

NIST therefore says they are discouraging use of SMS as an out-of-band authentication method and for those who are not aware what the true meaning of out-of-band authenticator is, here it is: two-factor authenticator is the one-time use code that is sent to “a physical device that is uniquely addressable and can receive a verifier-selected secret for one-time use.”

NIST says that they are proposing the deprecation of SMS as a two-factor authenticator because of the vulnerabilities highlighted and these are only guidelines and that there is still a long time for companies and federal agencies to look for alternatives.

Latest News