Key Update: NIST no longer deprecates SMS for 2FA in Digital Identity Guidelines

2 minutes read

Digital Identification

“NIST declares the age of SMS-based 2-factor authentication over, US government agency calls for the end of SMS authentication”.

The above headlines are from TechCrunch and Engadget. Headlines that made news in the summer of 2016 after the NIST (USA’s National Institute of Standards and Technology) published a draft about technology and security standards, deprecating SMS for two-factor authentication.

Completely dropped earlier statement

Today, however, the publication is no longer a draft and has become a final version “NIST Special Publication 800-63B, Digital Identity Guidelines, Authentication and Lifecycle Management. NIST has completely dropped the paragraph that stated: “Due to the risk that SMS messages may be intercepted or redirected, implementers of new systems SHOULD carefully consider alternative authenticators. If the out of band verification is to be made using a SMS message on a public mobile telephone network, the verifier SHALL verify that the pre-registered telephone number being used is actually associated with a mobile network and not with a VoIP (or other software-based) service.”

The paragraph has since been removed. NIST now states that if authentication is used via SMS (out-of-band), ‘the verifier SHALL verify that the pre-registered telephone number being used is associated with a specific physical device. […] Verifiers SHOULD consider risk indicators such as device swap, SIM change, number porting, or other abnormal behavior before using the PSTN to deliver an out-of-band authentication secret.’

Ruling out OTT platforms

NIST says that a pre-registered telephone number should be used, which is associated with a physical device. This clearly rules out 2FA messages that are being sent to platforms such as WhatsApp, Facebook Messenger, WeChat, Google Voice and more, as they could also be used on desktop computers as well and are therefore not identified by a SIM card.

In contrast to some media outlets coverage, NIST not only has dropped the statement that SMS for 2FA should no longer be used, it confirmed also the guidelines that worldwide telecom operators have been following for years. NIST acknowledges 2FA via SMS as a valid authentication channel.

Perfect timing

The upcoming Payment Services Directive II (PSDII) regulation demands strong customer authentication for digital payments in Europe. Effectively, this will make the 2FA SMS usage grow significantly. The recommendations from NIST on how to deploy 2FA via SMS are therefore perfectly timed, and will hopefully be widely adopted by the industry.

Learn more on 2FA via messagin




Continue reading

Previous How to engage students through mobile: examples of success
Next Reduce patient waiting times in healthcare with a simple SMS
Back To news overview

Enjoyed this article? Please share the news!

About the author

Erik Eggens is an allround journalist, editor, content creator and copywriter and takes a keen interest in mobile, finance and politics.

Connect with Erik on

LinkedIn, Twitter.