Light Dark
July 28, 2016 By Douglas Bonderud 2 min read

Companies recognize the value of two-factor authentication since passwords alone are no longer enough to secure user accounts and protect businesses in the event of malicious data loss. For many organizations — Twitter, Facebook and Google, to name a few — the shortest route to improved security is the use of SMS messaging to deliver single-use codes that users must enter in addition to passwords.

The problem: According to a new National Institute of Standards and Technology (NIST) draft, SMS two-factor authentication may not be so secure. Is it time to trash the texts for something better?

An Easily Exploited System

So what’s the problem with text messages? They seem like the perfect solution since they’re quick to send and only require users to provide their best contact number. As noted by CSO Online, however, cybercriminals have already found ways to work around this supposedly secure system.

For example, smartphones infected with malware can secretly redirect texts to another device, while more enterprising criminals are calling up phone companies and impersonating their potential victims, convincing operators to re-route secure texts.

The NIST draft also warned that software-based phone numbers, such as those connected to VoIP systems, could be vulnerable to cyberattacks and text theft. Users don’t know they’ve been victimized until after accounts are breached and financial or personal data is stolen. If users can’t easily prove they’ve been attacked or their texts were misdirected, they may be on the hook for any criminal actions.

Alternative Authentication

So far, the NIST has stopped short of asking companies to trash their text programs, but it suggested that companies should always verify that the number they’re texting is a true mobile phone and “generate a random authentication secret with at least 20 bits of entropy using an approved random number generator.” NIST further advised that codes should not be displayed on the lock screens of mobile devices.

Another option is to use authentication apps, which require the user to initiate code generation. The NIST said that “mechanisms such as smartphone applications employing secure communications protocols are preferred for out-of-band authentication.” While this doesn’t guarantee security since attackers could still take control of the mobile device itself, apps significantly reduce the chance of in-transit interception or eavesdropping.

As noted by ZDNet, other alternatives include biometrics such as fingerprints or eye scans, but the NIST cautioned that the amount false match rates and false nonmatch rates make it difficult to confirm user identity. There’s also movement toward selfie identification, and companies like MasterCard have introduced apps that prompt users take a picture of themselves. This photo is then compared to a photo submitted at the time of registration.

Time to Trash SMS Two-Factor Authentication

SMS two-factor authentication was never designed as a catch-all, but rather a security time-saver that at least offered increased peace of mind. But just like software or network defense, cybercriminals have found ways to circumvent and compromise SMS codes. Time is running out to toss the texts and opt for new authentication tech.

 |  |  |  | 
Douglas Bonderud
Freelance Writer

More from

March 18, 2025

Bypassing Windows Defender Application Control with Loki C2

10 min read - Windows Defender Application Control (WDAC) is a security solution that restricts execution to trusted software. Since it is classified as a security boundary, Microsoft offers bug bounty payouts for qualifying bypasses, making it an active and competitive field of research.Typical outcomes of a WDAC bypass bug bounty submission:Bypass is fixed; possible bounty awardedBypass is not fixed but instead "mitigated" by being added to the WDAC recommended block list. Likely no bounty awarded but honorable mention is typically givenBypass is not…

March 4, 2025

FYSA — VMware Critical Vulnerabilities Patched

< 1 min read - SummaryBroadcom has released a security bulletin, VMSA-2025-0004, addressing and remediating three vulnerabilities that, if exploited, could lead to system compromise. Products affected include vCenter Server, vRealize Operations Manager, and vCloud Director.Threat TopographyThreat Type: Critical VulnerabilitiesIndustry: VirtualizationGeolocation: GlobalOverviewX-Force Incident Command is monitoring activity surrounding Broadcom’s Security Bulletin (VMSA-2025-0004) for three potentially critical vulnerabilities in VMware products. These vulnerabilities, identified as CVE-2025-22224, CVE-2025-22225, and CVE-2025-22226, have reportedly been exploited in attacks. X-Force has not been able to validate those claims. The vulnerabilities…

February 21, 2025

SoaPy: Stealthy enumeration of Active Directory environments through ADWS

10 min read - Introduction Over time, both targeted and large-scale enumeration of Active Directory (AD) environments have become increasingly detected due to modern defensive solutions. During our internship at X-Force Red this past summer, we noticed FalconForce’s SOAPHound was becoming popular for enumerating Active Directory environments. This tool brought a new perspective to Active Directory enumeration by performing collection via Active Directory Web Services (ADWS) instead of directly through Lightweight Directory Access Protocol (LDAP) as other AD enumeration tools had in the past.…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2025 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature