SMS-based Two-Factor Authentication (2FA) has been declared insecure and soon it might be a thing of the past.

Two-Factor Authentication or 2FA adds an extra step of entering a random passcode sent to you via an SMS or call when you log in to your account as an added layer of protection.

For example, if you have 2FA enabled on Gmail, the platform will send a six-digit passcode to your mobile phone every time you sign in to your account.

But, the US National Institute of Standards and Technology (NIST) has released a new draft of its Digital Authentication Guideline that says SMS-based two-factor authentication should be banned in future due to security concerns.

Here's what the relevant paragraph of the latest DAG draft reads:
"If the out of band verification is to be made using an SMS message on a public mobile telephone network, the verifier SHALL verify that the pre-registered telephone number being used is actually associated with a mobile network and not with a VoIP (or other software-based) service. It then sends the SMS message to the pre-registered telephone number. Changing the pre-registered telephone number SHALL NOT be possible without two-factor authentication at the time of the change. OOB [Out of band verification] using SMS is deprecated, and will no longer be allowed in future releases of this guidance."
Due to rise in data breaches, two-factor authentication has become a standard practice these days. Many services are offering SMS-based 2FA to its consumers, just to ensure that hackers would need both their passwords and mobile phone in order to hack their accounts.

SMS-based Two-Factor Authentication is Insecure

However, NIST argues that SMS-based two-factor authentication is an insecure process because it's too easy for anyone to obtain a phone and the website operator has no way to verify whether the person who receives the 2FA code is even the correct recipient.

In fact, SMS-based two-factor authentication is also vulnerable to hijacking, if the individual uses a voice-over-internet protocol (VoIP) service, which provides phone call service via a broadband internet connection instead of a traditional network.

Since some VoIP services allow the hijacking of SMS messages, hackers could still gain access to your accounts protected with SMS-based two-factor authentication.

Also, the designing flaws in SS7 or Signalling System Number 7 also allows an attacker to divert the SMS containing a one-time passcode (OTP) to their own device, which lets the attacker hijack any service, including Twitter, Facebook or Gmail, that uses SMS to send the secret code to reset account password.

Even some devices leak secret 2FA code received via SMS on the lock screen.


The DAG draft notes that two-factor authentication via a secure app or biometrics, like a fingerprint scanner, may still be used to secure your accounts.
"Therefore, the use of biometrics for authentication is supported, with the following requirements and guidelines: Biometrics SHALL be used with another authentication factor (something you know or something you have)," the draft reads.
Moreover, Many tech companies such as Facebook and Google offer in-app code generator as an alternative solution for two-factor authentication, which does not rely on SMS or Network carrier.

Last month, Google made its two-factor authentication a lot easier and faster by introducing a new method called Google Prompt that uses a simple push notification where you just have to tap on your mobile phone to approve login requests.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.