NIST to Ban SMS-Based Two-Factor Authentication

Most people who use two-factor authentication (2FA) use SMS-based 2FA on social media sites or business applications that require extra security. This allows an added layer of security by requiring a password (something you know) with a code sent to your cellphone (something you have). The US National Institute of Standards and Technology (NIST) has released the latest draft version of the Digital Authentication Guideline that contains language hinting at a future ban on SMS-based 2FA.

The Digital Authentication Guideline (DAG) is a set of rules and guidelines used by most software companies to build secure services, and by government agencies and private companies to assess the security of their software and IT services. NIST experts are constantly updating the guidelines, in an effort to keep pace with the rapid changes in technology.

NIST officials are discouraging companies from using SMS-based authentication, even saying that SMS-based 2FA might be considered insecure in future versions of the guideline. They argue that SMS-based two-factor authentication is an unsecure process because the user may not always be in possession of the cellphone.

You can read more about the new guidelines here.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.