Two-factor authentication has been slowly falling out of favor with cybersecurity professionals, especially for SMS applications. The U.S. National Institute of Standards and Technology One (NIST) is the latest group to criticize the system. In a recent Digital Authentication Guideline paper, the agency recommended phasing out the system it considers insecure. This is an important development because NIST is one of the U.S. government’s top authorities on cybersecurity.
The issues raised by NIST about SMS 2FA focuses on the fact that the messages involved in the authentication can be intercepted and sent to a different location. Many companies use SMS two-factor authentication, but the SMS form is especially exploitable because of flaws associated with mobile devices and voice-over-internet protocol (VoiP) services.
The paper strongly urges authentication processes to use biometrics, recommending that it “be used with another authentication factor (something you know or something you have).” The problem here is that just like SMS messages, biometrics can be spoofed. But since it is much easier to intercept messages via Man-in-the-Middle attacks, biometrics is still a viable option.
It should be noted that the slow elimination of 2FA via SMS will be just that: a slow process be plagued by countless hurdles. These changes to biometrics or other potential options will not be implemented overnight as we are talking about a massive overhaul of how companies allow users to verify their identities. It is telling, however, that NIST is also opening comments to the public via GitHub about the Digital Authentication Guideline paper. The agency emphasizes that the paper is only a preview of what may happen when SMS 2FA is eliminated, and as such there will be a two- to three-week period allowing for comments on the agency’s findings.
Google, Facebook, and other companies have been moving away from 2FA via SMS toward more secure options. It is likely in the next few years we will see the system eliminated entirely.