NIST denounces sms-based 2FA, but where is the convenient alternative?

Global 2FA sms

Something you know, something you have: These two factors are the holy grail in two-factor authentication, an authentication method that is widely used in combination with sms text messages. The NIST, the agency that establishes technical standards and policies for the US government, however, declared it unsecure.

The NIST declares: ‘Due to the risk that SMS messages or voice calls may be intercepted or redirected, implementers of new systems should carefully consider alternative authenticators. If the out-of-band verification is to be made using the public switched telephone network (PSTN), the verifier shall verify that the pre-registered telephone number being used is not associated with a VoIP (or other software-based) service.

Out-of-band authentication using the PSTN (SMS or voice) is deprecated, and is being considered for removal in future editions of this guideline.’ Sms messages have been used for securing transactions, login sessions and payments. It gained popularity among businesses and enterprises because it’s cheap, easy to implement and its ubiquitousness: nearly everyone can receive a text message and knows how to use the text messaging application on their mobile phones. The NIST is right in stating that there are vulnerabilities in sms-based 2FA. TechCrunch states that there are plenty of alternatives. ‘SMS was just the easy one’. “There are plenty of options”, TechCrunch writes, mentioning Google Authenticator and RSA SecurID.

Although NIST recommended not to use sms-based 2FA months ago, very few things have changed, which proves TechCrunch’s statement that SMS was just the easy one to with. Other alternatives are for instance TOTP, a Time-based One-time Password Algorithm (TOTP) is an algorithm that computes a one-time password from a shared secret key and the current time. Another alternative could be downloading the Google Authenticator app on your smartphone. But how would you implement this in your business? There are options to use Google Authenticator for non-Google products like Evernote, Dropbox and Outlook.

Using it for the whole business is another issue as not everyone uses the same hardware and software. Furthermore, Google Authenticator isn’t particularly easy to scale if using it on several servers. Secondly, not everyone can download apps. Especially in emerging markets like some countries in Asia and Africa, feature phones are still a majority rather than smartphones.

Changing to authenticator apps means that a lot of people are blocked from using an easy and fairly secure authentication method. If authenticator apps would have been as easy and convenient to use as sms-based two-factor authentication, it would’ve been widely used around the globe. Of course, the internet should be as secure as possible, but basically people tend to combine security and convenience. Sms-based 2FA meets exactly those requirements. 

More about 2FA



Enjoyed this article? Please share the news!

About the author

Erik Eggens is an allround journalist, editor, content creator and copywriter and takes a keen interest in mobile, finance and politics.

Connect with Erik on

LinkedIn, Twitter.