NIST axes SMS-based two-factor authentication for US government apps

NIST issued new guidance calling for the phasing out of SMS-based 2FA
NIST issued new guidance calling for the phasing out of SMS-based 2FA

US government service providers will be required to phase out the use of SMS-based two-factor authentication (2FA) as the result of new guidelines from the National Institute of Standards and Technology (NIST).

The federal technology agency, which provides government and private industries with standards reference materials, issued on Wednesday its draft Special Publication 800-63B Digital Authentication Guideline. The 17,000-word document concludes that because of the possibility that the one-time code itself could be intercepted or redirected, SMS-based two-factor authentication should no longer be used.

"Digital authentication is the process of establishing confidence in user identities electronically presented to an information system," the NIST document states. What's at stake is the strength of authentication transactions.

“If the out of band verification is to be made using a SMS message on a public mobile telephone network, the verifier SHALL verify that the pre-registered telephone number being used is actually associated with a mobile network and not with a VoIP (or other software-based) service. It then sends the SMS message to the pre-registered telephone number. Changing the pre-registered telephone number SHALL NOT be possible without two-factor authentication at the time of the change. [Out of band] using SMS is deprecated, and may no longer be allowed in future releases of this guidance.”

The development follows in the wake of several malware attacks impacting SMS codes as well as malicious campaigns where users' VoIP connections were hijacked.

While the guidance applies to government providers, the implications are certain to spread to the wider business environment. 

For instance, banks will certainly be impacted, according to Mickey Boodaei, CEO of Transmit Security. 

In an emailed statement to SCMagazine.com, he said: "The NIST Digital Authentication Guidance demonstrates how complicated the authentication market has become. While new and exciting authentication techniques such as fingerprint, face, eye and voice are being adopted by many banks, security risks need to be carefully managed."

The NIST guidance, he added, emphasises the need to couple biometric authentication with strong cryptography, the use of additional authenticators and authenticator lifecycle management, which includes support for various processes, such as binding, management of false match rates, revocation, expiration and more.

As the market keeps evolving, new authentication capabilities will be rolled out and new security requirements around these capabilities will emerge, he said. "Agile policy management and the ability to easily tie together different security processes and functionality are often overlooked by banks that are adopting biometrics. This will result in rapid and complicated changes to their applications and introduce unnecessary risk."