NIST warns against the use of SMS-based two-factor authentication

NIST warns against the use of SMS-based two-factor authentication

In a Monday-released new draft of its Digital Authentication Guideline, the US National Institute for Standards and Technology (NIST) has discouraged the use of SMS-based two-factor authentication, citing security concerns linked to such authentication.

SMS-based two-factor authentication has, in the last few years, become a popular verification tool. A number of services give their consumers the option to log in by entering a password and a code which is sent to their handsets.

The key objective behind the use of the SMS-based two-factor verification tool is to offer protection against hacking, because the hackers would be able to hack an account only if they have a person's password as well as his/her cell phone.

In its newly-updated draft of its Digital Authentication Guideline, the NIST has warned that SMS messages are vulnerable to hacking because they can be intercepted or redirected by hackers. The warning is apparently rooted in the fact that hackers have, in the past, infected smartphones with the help of malware, and clandestinely redirected SMS messages to another device.

Discouraging the use of SMS-based two-factor authentication, the NIST said in its new draft of Digital Authentication Guideline: "[Out of band verification] using SMS is deprecated, and will no longer be allowed in future releases of this guidance.”

Health