NIST: It’s time move on from SMS 2FA

SMS-based two-factor authentication (2FA) should be phased out, according to the National Institute of Standards and Technology (NIST) at the US Department of Commerce.

In its most recent Digital Authentication Guideline – draft version – the federal technology agency explained that this is because there are risks with this approach.

NIST stated that as SMS messages can be “intercepted and redirected”, SMS 2FA will not be as secure as it should be.

“Implementers of new systems should carefully consider alternative authenticators,” it advised.

This includes 2FA that uses one-time passwords (OTP), as well as hard token or push authentication.

As ESET’s senior research fellow David Harley has previously stated: “One-time passwords and tokens are much more secure, especially when implemented in hardware as a two-factor authentication measure.”

Recognition of 2FA’s value is increasing throughout the world, with more and more organizations looking to invest in this additional layer of security.

In recent years, well-known technology firms, such as Apple, Twitter, Google, Facebook andSnapchat have been advocating the use of 2FA.

It’s important to remember that 2FA still requires users to be vigilant and ensure that their devices and accounts have strong and complex passwords in place.

In fact, in place of passwords, individuals should consider passphrases – “longer, more complex and easy to remember”, they are harder to crack.

Source: WeLiveSecurity