America’s National Institute for Standards and Technology has advised abandonment of SMS-based two-factor authentication.
That’s the gist of the latest draft of its Digital Authentication Guideline, here. Down in section 22.214.171.124, the document says out-of-band verification using SMS is deprecated and won’t appear in future releases of NIST’s guidance.
The change was first foreshadowed in May, with the agency now kicking off the first round of public comments for the document.
For now, NIST says a service still using SMS verification needs to confirm that it’s sending messages to a mobile number and not a VoIP service.
The body also says users need better protection against having messages hijacked, for example by an attacker persuading the service provider that the number has changed: “Changing the pre-registered telephone number SHALL NOT be possible without two-factor authentication at the time of the change”, the document states [NIST’s caps – Ed].