SMS Two-Factor Authentication Is No Longer Approved By NIST

This week the National Institute of Standards and Technology (NIST) released new guidance regarding SMS two-factor authentication (2FA) in its latest draft of the Digital Authentication Guideline. According to the draft, NIST says, “[out of band authentication] using SMS is deprecated, and will no longer be allowed in future releases of this guidance.”

The draft guidance from NIST doesn’t go into too much detail as to why this method has been deprecated, but there are some clues in the draft as well as numerous other reasons that have been discussed in the media. The specific language used by NIST is:

“Due to the risk that SMS messages may be intercepted or redirected, implementers of new systems SHOULD carefully consider alternative authenticators. If the out of band (OOB) verification is to be made using a SMS message on a public mobile telephone network, the verifier SHALL verify that the pre-registered telephone number being used is actually associated with a mobile network and not with a VoIP (or other software-based) service. It then sends the SMS message to the pre-registered telephone number. Changing the pre-registered telephone number SHALL NOT be possible without two-factor authentication at the time of the change. OOB using SMS is deprecated, and may no longer be allowed in future releases of this guidance.” (NIST, 2016)

SMS messages are not, and really never have been, considered secure. Most phones, at least by default, will display SMS (also commonly called “text messages”) on the lock screen of the phone.  An attacker would only need to be in visual range of the device to see the PIN. Additionally, as NIST said in the above section, SMS messages have been shown to be vulnerable to interception and redirection attacks from malicious parties. There is a great writeup of some of these flaws in an Engadget article from August of 2015, “Phone Network Security Flaw Lets Anyone Bug Your Calls.” The previous article is just one of many such reports that have slowly risen from the depths of hacker lore into the mainstream of the global media.

The good news is that there are numerous alternatives that are much more secure and cost no more than SMS. For example, Google makes its Google Authenticator App which is freely provided to both users and developers. There are also several apps that are already widely used in healthcare, such as Duo and Facebook’s authenticator, that provide API requirements to allow any developer to integrate a 2FA solution.

While it may be preferable to use SMS as a second factor, rather than having only a single authentication factor, if it is at all reasonable, a more secure solution should be chosen due to the inherent flaws in SMS. The fact that SMS is a flawed messaging platform, which should not be relied on for security purposes, shouldn’t come as a major surprise; SMS made its debut in 1992 at a time when security was not nearly as big of a concern.

NIST guidance is not required to be followed by any organization that is not either part of the US government or required to meet its compliance standards because of governmental contracts.  However, many industries (including healthcare) rely on NIST for guidelines and resources to make compliance and security controls more consistent across industries.