US standards lab says SMS is no good for authentication

National Institute for Standards and Technology says tokens, apps should replace TXT

America's National Institute for Standards and Technology has advised abandonment of SMS-based two-factor authentication.

That's the gist of the latest draft of its Digital Authentication Guideline, here. Down in section 5.1.3.2, the document says out-of-band verification using SMS is deprecated and won't appear in future releases of NIST's guidance.

The change was first foreshadowed in May, with the agency now kicking off the first round of public comments for the document.

For now, NIST says a service still using SMS verification needs to confirm that it's sending messages to a mobile number and not a VoIP service.

The body also says users need better protection against having messages hijacked, for example by an attacker persuading the service provider that the number has changed: “Changing the pre-registered telephone number SHALL NOT be possible without two-factor authentication at the time of the change”, the document states [NIST's caps - Ed].

The guideline, officially Draft NIST Special Publication 800-63B, is a “public preview”. NIST says it's chosen that terminology, rather than its usual submission process, because it's let the body put the documents up on GitHub to gather preliminary responses.

“We’re calling it a public preview because some of our agency partners (and NIST itself) have formal processes for public drafts. Calling it a public preview is our way of letting everyone know those processes aren’t in play. This lets us do things differently”, NIST writes.

The agency notes that the GitHub process won't replace public comment, but is instead “additive to the existing open and transparent process … We will maintain our tradition of extended public comment after this process comes to a close.”

During the GitHub comments process, NIST wants a focus on technical and procedural input rather than “grammar or formatting” discussions.

The GitHub repo for the Digital Authentication Guidelines is here. ®


Biting the hand that feeds IT © 1998–2017