SMS-based Two-Factor Authentication (2FA) has been declared insecure

Two-Factor Authentication or 2FA adds an extra layer of security by entering a random passcode sent to you via an SMS or call when you log on to your account. Two factor authentication via telephone text messages has up until today been one of the most common forms of 2FA. While 2FA tokens are used to deter attackers due to the need for real-time data from the potential victim, today’s malware is specifically designed to circumvent this security measure.

US National Institute of Standards and Technology (NIST) has released a new draft of its Digital Authentication Guideline that says SMS-based two-factor authentication should be banned in future due to security concerns. NIST says: “If the out of band verification is to be made using an SMS message on a public mobile telephone network, the verifier SHALL verify that the pre-registered telephone number being used is actually associated with a mobile network and not with a VoIP (or other software-based) service. It then sends the SMS message to the pre-registered telephone number. Changing the pre- registered telephone number SHALL NOT be possible without two-factor authentication at the time of the change. OOB [Out of band verification] using SMS is deprecated, and will no longer be allowed in future releases of this guidance.” This goes well in hand with a large number of reports that the end point devices might be under control of the attacker via malware.