NIST: SMS Authentication is not Secure.


SMS AuthenticationTowards the end of July 2016, the National Institute of Standards and Technology (NIST) started the process of deprecating the use of SMS-based out-of-band authentication. Updated guidelines stated that SMS-based two-factor authentication is not secure and should be banned. It is not only insecure but also inconvenient for users, we will explain to you why we think so.

Updated guidelines of NIST
Out-of-band authentication such as SMS is often used in financial institutions, governments and other organisations with high-end security requirements. However, NIST argues that SMS-based two-factor authentication is an insecure process because it is too easy for anyone to the specific SMS authentication code. As NIST explains it in the updated guidelines: “it is acceptable for now, but SMS will no longer be allowed in future releases of this guidance. Due to the risk that SMS messages may be intercepted or redirected, implementers of new systems should carefully consider alternative authenticators.”

Since SMS-based 2FA is common among organisations, a large number of businesses world wide, will need to change their remote authentication processes or deviate from NIST guidance.

Banks and other online services providers still send two-factor authentication codes to their customers via SMS. However, experts have known for years that there are vulnerabilities in the system.

Why is SMS is not secure as authentication method?
Hackers can call up your phone company pretending to be you, then convince the support desk there to redirect your messages to a different SIM card. Following are recent examples

Alternatives to SMS Authentication
It’s truth that the vast majority of people would be better off using SMS 2FA rather than using no two-factor method at all. Experts said alternative authentication methods, such as smart cards and on-device authentication apps provide better security. It’s desirable that any out-of-band alternative to SMS authentication should deliver strong authentication, multifactor authentication and push notifications with application relevant information as for example authorization and/or consent. Fully auditable and in compliance with international standards and regulations.

Welcome to the world of ConsentID. It operates from any device: mobile, tablet or desktop and different operating systems. AET brings more than 15 years of experience to ConsentID authentication and signing service. A flexible, easily adaptable and integrated solution for any business application. Read more on ConsentID.