SMS Based Two-Factor Authentication Will End Soon

by CXOtoday News Desk    Jul 28, 2016


SMS based two factor authentication (2FA), one of the most common authentication process is now declared insecure and vulnerable to cyber attacks. The US National Institute for Standards and Technology have discovered severe security flaws in this type of 2FA and hinted to ban the authentication process soon. The institute has published a draft of the Digital Authentication Guideline and is preparing to ban SMS-based two-factor authentication. 

“If the out of band verification is to be made using an SMS message on a public mobile telephone network, the verifier SHALL verify that the pre-registered telephone number being used is actually associated with a mobile network and not with a VoIP (or other software-based) service”, the draft reads.

“Changing the pre-registered telephone number SHALL NOT be possible without two-factor authentication at the time of the change. OOB [Out of band verification] using SMS is deprecated, and will no longer be allowed in future releases of this guidance”, the draft further states. 

Also Read: CIOs Growing Fond Of Two-Factor Authentication

2FA is a most commonly used authentication process to access mails and execute online transactions. Many services are offering SMS-based 2FA to its consumers to have safe access to services. 

However, NIST argues that SMS-based two-factor authentication is an insecure process because it’s too easy for anyone to obtain a phone and the website operator has no way to verify whether the person who receives the 2FA code is even the correct recipient.

Further, the SMS may be hijacked by a VoIP service, Softpedia notes. Since some VoIP services allow the hijacking of SMS messages, hackers could still gain access to accounts protected with SMS-based two-factor authentication.

Also, the designing flaws in SS7 or Signalling System Number 7 allows an attacker to divert the SMS containing a one-time passcode (OTP) to their own device, which lets the attacker hijack any service, that uses SMS to send the secret code to reset account password.

NIST’s draft also notes that two-factor authentication via a secure application or biometrics, such as a fingerprint scanner, may still be used. “Therefore, the use of biometrics for authentication is supported, with the following requirements and guidelines: Biometrics SHALL be used with another authentication factor (something you know or something you have),” the draft reads.

Considering the security issues with the authentication process, many technology companies such as Facebook and Google now offer in-app code generator as an alternative solution for two-factor authentication, which does not rely on SMS or Network carrier. Google recently introduced a new method called Google Prompt that uses a simple push notification where you just have to tap on your mobile phone to approve log in requests.


(Image Courtesy: