The above headlines are from TechCrunch and Engadget. Headlines that made news in the summer of 2016 after the NIST (USA’s National Institute of Standards and Technology) published a draft about technology and security standards, deprecating SMS for two-factor authentication.
Completely dropped earlier statement
Today, however, the publication is no longer a draft and has become a final version “NIST Special Publication 800-63B, Digital Identity Guidelines, Authentication and Lifecycle Management. NIST has completely dropped the paragraph that stated: “Due to the risk that SMS messages may be intercepted or redirected, implementers of new systems SHOULD carefully consider alternative authenticators. If the out of band verification is to be made using a SMS message on a public mobile telephone network, the verifier SHALL verify that the pre-registered telephone number being used is actually associated with a mobile network and not with a VoIP (or other software-based) service.”
The paragraph has since been removed. NIST now states that if authentication is used via SMS (out-of-band), ‘the verifier SHALL verify that the pre-registered telephone number being used is associated with a specific physical device. […] Verifiers SHOULD consider risk indicators such as device swap, SIM change, number porting, or other abnormal behavior before using the PSTN to deliver an out-of-band authentication secret.’
Ruling out OTT platforms
NIST says that a pre-registered telephone number should be used, which is associated with a physical device. This clearly rules out 2FA messages that are being sent to platforms such as WhatsApp, Facebook Messenger, WeChat, Google Voice and more, as they could also be used on desktop computers as well and are therefore not identified by a SIM card.
In contrast to some media outlets coverage, NIST not only has dropped the statement that SMS for 2FA should no longer be used, it confirmed also the guidelines that worldwide telecom operators have been following for years. NIST acknowledges 2FA via SMS as a valid authentication channel.
The upcoming Payment Services Directive II (PSDII) regulation demands strong customer authentication for digital payments in Europe. Effectively, this will make the 2FA SMS usage grow significantly. The recommendations from NIST on how to deploy 2FA via SMS are therefore perfectly timed, and will hopefully be widely adopted by the industry.