Back to blog

Platform Update: NIST no longer deprecates SMS for 2FA in Digital Identity Guidelines

NIST declares the age of SMS-based 2-factor authentication over, US government agency calls for the end of SMS authentication.

The above headlines are from TechCrunch and Engadget. Headlines that made news in the summer of 2016 after the NIST (USA’s National Institute of Standards and Technology) published a draft about technology and security standards, deprecating SMS for two-factor authentication.

Completely dropped earlier statement

Today, however, the publication is no longer a draft and has become a final version “NIST Special Publication 800-63B, Digital Identity Guidelines, Authentication and Lifecycle Management. NIST has completely dropped the paragraph that stated: “Due to the risk that SMS messages may be intercepted or redirected, implementers of new systems SHOULD carefully consider alternative authenticators. If the out of band verification is to be made using a SMS message on a public mobile telephone network, the verifier SHALL verify that the pre-registered telephone number being used is actually associated with a mobile network and not with a VoIP (or other software-based) service.”

The paragraph has since been removed. NIST now states that if authentication is used via SMS (out-of-band), ‘the verifier SHALL verify that the pre-registered telephone number being used is associated with a specific physical device. […] Verifiers SHOULD consider risk indicators such as device swap, SIM change, number porting, or other abnormal behavior before using the PSTN to deliver an out-of-band authentication secret.’

Ruling out OTT platforms

NIST says that a pre-registered telephone number should be used, which is associated with a physical device. This clearly rules out 2FA messages that are being sent to platforms such as WhatsApp, Facebook Messenger, WeChat, Google Voice and more, as they could also be used on desktop computers as well and are therefore not identified by a SIM card.

In contrast to some media outlets coverage, NIST not only has dropped the statement that SMS for 2FA should no longer be used, it confirmed also the guidelines that worldwide telecom operators have been following for years. NIST acknowledges 2FA via SMS as a valid authentication channel.

Perfect timing

The upcoming Payment Services Directive II (PSDII) regulation demands strong customer authentication for digital payments in Europe. Effectively, this will make the 2FA SMS usage grow significantly. The recommendations from NIST on how to deploy 2FA via SMS are therefore perfectly timed, and will hopefully be widely adopted by the industry.

connects tens of thousands of companies with millions of consumers via their mobile phone each day. Behind the scenes, from our innovative platform, makes sure companies can use these millions of messages, phone calls and payments to become part of people’s lives.

Is this region a better fit for you?

Apple Messages for Business
Scan & chat
Scan the code with your mobile phone to start chatting or use WhatsApp Web