NIST denounces sms-based 2FA, but where is the convenient alternative?

2 minutes read

Global 2FA sms

Something you know, something you have: These two factors are the holy grail in two-factor authentication, an authentication method that is widely used in combination with sms text messages. The NIST, the agency that establishes technical standards and policies for the US government, however, declared it unsecure.

Alternative authenticators

The NIST declares: ‘Due to the risk that SMS messages or voice calls may be intercepted or redirected, implementers of new systems should carefully consider alternative authenticators. If the out-of-band verification is to be made using the public switched telephone network (PSTN), the verifier shall verify that the pre-registered telephone number being used is not associated with a VoIP (or other software-based) service.

Out-of-band authentication using the PSTN (SMS or voice) is deprecated, and is being considered for removal in future editions of this guideline.’ Sms messages have been used for securing transactions, login sessions and payments. It gained popularity among businesses and enterprises because it’s cheap, easy to implement and its ubiquitousness: nearly everyone can receive a text message and knows how to use the text messaging application on their mobile phones. The NIST is right in stating that there are vulnerabilities in sms-based 2FA. TechCrunch states that there are plenty of alternatives. ‘SMS was just the easy one’. “There are plenty of options”, TechCrunch writes, mentioning Google Authenticator and RSA SecurID.

Although NIST recommended not to use sms-based 2FA months ago, very few things have changed, which proves TechCrunch’s statement that SMS was just the easy one to with. Other alternatives are for instance TOTP, a Time-based One-time Password Algorithm (TOTP) is an algorithm that computes a one-time password from a shared secret key and the current time. Another alternative could be downloading the Google Authenticator app on your smartphone. But how would you implement this in your business? There are options to use Google Authenticator for non-Google products like Evernote, Dropbox and Outlook.

Using it for the whole business is another issue as not everyone uses the same hardware and software. Furthermore, Google Authenticator isn’t particularly easy to scale if using it on several servers. Secondly, not everyone can download apps. Especially in emerging markets like some countries in Asia and Africa, feature phones are still a majority rather than smartphones.

Changing to authenticator apps means that a lot of people are blocked from using an easy and fairly secure authentication method. If authenticator apps would have been as easy and convenient to use as sms-based two-factor authentication, it would’ve been widely used around the globe. Of course, the internet should be as secure as possible, but basically people tend to combine security and convenience. Sms-based 2FA meets exactly those requirements. 

More about 2FA

Enjoyed this article? Please share the news!

Continue reading

Next Sneak peek: 7 trends that will define mobile in 2017
Previous How to make your messages worth reading: SMS personalisation
Back To news overview

Related articles

Cloud services easily abused for absent verification
Key Update: NIST no longer deprecates SMS for 2FA in Digital Identity Guidelines
How to engage students through mobile: examples of success
How to engage with Push Notifications and SMS Messaging?
How can you optimise the traveller’s customer journey?

About the author

Charlotte van Raak is content marketer and makes sure our readers always have interesting blogs to read about how to engage with customers. During the day, she answers 1K questions in her role as communications advisor. At night she preferably sleeps.

Connect with Charlotte on