NIST: Time for SMS OTP Tokens to “RIP”

RIPNational Institute of Standards and Technology (NIST) is an agency of the U.S. Department of Commerce and one of the nation’s oldest physical science laboratories.

An upcoming pair of “special publications” from NIST know as its official communiques have updated its recommendations for a host of authentication and security issues, and the documents are up for “public preview”. In its publication up for review, NIST active discourages using SMS as an “out of band authenticator” — essentially, a method for delivering a one-time use code for 2FA.

… If the out of band verification is to be made using a SMS message on a public mobile telephone network, the verifier SHALL verify that the pre-registered telephone number being used is actually associated with a mobile network and not with a VoIP (or other software-based) service. It then sends the SMS message to the pre-registered telephone number. Changing the pre-registered telephone number SHALL NOT be possible without two-factor authentication at the time of the change. OOB using SMS is deprecated, and will no longer be allowed in future releases of this guidance…

NIST recommends the use of alternative dedicated 2FA mobile apps. It adds that there are plenty of options — SMS was just the easy one!

EZMCOM Inc provides innovative multi-layer multi-factor identity protection solution including emerging behavioural and risk fusion biometric authentication form factors. Powering more than 300+ Customers, including 40+ banks across the world, Ezmcom powers authentications for 50M+ end users daily.

Contact us on [email protected] or call +1 (510) 396 3894 (USA/CANADA) / +60 12 570 1114 (ASEAN/ANZ) / +91 (776) 082 5225 ( APAC/EMEA)

Originally, the article was published by Anupam Ratha, CTO, Ezmcom. Changed and modified to needs. Initially, the information appeared in an article at TechCrunch.

Leave a Reply

%d bloggers like this: