NIST To Ban SMS-Based Two-Factor Authentication?

Slashdot posted a story here about the National Institute for Standards and Technology banning Two-Factor

Authentication (“2FA”) that uses SMS.  SMS has become extremely popular as a second factor for authentication because it represents the “something you have” factor — your mobile phone — which is now carried by most humans around the globe.

However, the phone number is a weakness because at least in the USA, SMS is no longer limited to your mobile phone.  Many non-mobile phone numbers now support SMS interaction.  VBG’s toll-free number, for example, can receive SMS messages and route them to a software application. 

What does this mean for the authentication process?  It means that biometrics, the “something you are”  factor may become more important as an authentication factor, perhaps augmenting or supplanting SMS in 2FA.  Voice Biometrics, for example, could be used as a factor along with SMS in several ways.  One possibility is sending a link over SMS that launches a phone call to a voice biometric system or opens a web page with audio to a voice biometric system.  Or the SMS may contain the passphrase to speak, such as a RandomPIN™, along with the biometric system making a call to the phone.

Many permutations exist.  So if you are using SMS for 2FA, start thinking about which alternative will best suit your needs in the future to ensure secure authentication for your customers and employees.

Leave a Reply

Your email address will not be published. Required fields are marked *