Companies recognize the value of two-factor authentication since passwords alone are no longer enough to secure user accounts and protect businesses in the event of malicious data loss. For many organizations — Twitter, Facebook and Google, to name a few — the shortest route to improved security is the use of SMS messaging to deliver single-use codes that users must enter in addition to passwords.

The problem: According to a new National Institute of Standards and Technology (NIST) draft, SMS two-factor authentication may not be so secure. Is it time to trash the texts for something better?

An Easily Exploited System

So what’s the problem with text messages? They seem like the perfect solution since they’re quick to send and only require users to provide their best contact number. As noted by CSO Online, however, cybercriminals have already found ways to work around this supposedly secure system.

For example, smartphones infected with malware can secretly redirect texts to another device, while more enterprising criminals are calling up phone companies and impersonating their potential victims, convincing operators to re-route secure texts.

The NIST draft also warned that software-based phone numbers, such as those connected to VoIP systems, could be vulnerable to cyberattacks and text theft. Users don’t know they’ve been victimized until after accounts are breached and financial or personal data is stolen. If users can’t easily prove they’ve been attacked or their texts were misdirected, they may be on the hook for any criminal actions.

Alternative Authentication

So far, the NIST has stopped short of asking companies to trash their text programs, but it suggested that companies should always verify that the number they’re texting is a true mobile phone and “generate a random authentication secret with at least 20 bits of entropy using an approved random number generator.” NIST further advised that codes should not be displayed on the lock screens of mobile devices.

Another option is to use authentication apps, which require the user to initiate code generation. The NIST said that “mechanisms such as smartphone applications employing secure communications protocols are preferred for out-of-band authentication.” While this doesn’t guarantee security since attackers could still take control of the mobile device itself, apps significantly reduce the chance of in-transit interception or eavesdropping.

As noted by ZDNet, other alternatives include biometrics such as fingerprints or eye scans, but the NIST cautioned that the amount false match rates and false nonmatch rates make it difficult to confirm user identity. There’s also movement toward selfie identification, and companies like MasterCard have introduced apps that prompt users take a picture of themselves. This photo is then compared to a photo submitted at the time of registration.

Time to Trash SMS Two-Factor Authentication

SMS two-factor authentication was never designed as a catch-all, but rather a security time-saver that at least offered increased peace of mind. But just like software or network defense, cybercriminals have found ways to circumvent and compromise SMS codes. Time is running out to toss the texts and opt for new authentication tech.

More from

Are you ready to build your organization’s digital trust?

4 min read - As organizations continue their digital transformation journey, they need to be able to trust that their digital assets are secure. That’s not easy in today’s environment, as the numbers and sophistication of cyberattacks increase and organizations face challenges from remote work and insider behavior. Digital trust can make your organization’s digital transformation stronger. A lack of digital trust can do irreparable harm. However, according to ISACA’s State of Digital Trust 2023 report, too many organizations struggle to define and implement…

Most organizations want security vendor consolidation

4 min read - Cybersecurity is complicated, to say the least. Maintaining a strong security posture goes far beyond knowing about attack groups and their devious TTPs. Merely understanding, coordinating and unifying security tools can be challenging. We quickly passed through the “not if, but when” stage of cyberattacks. Now, it’s commonplace for companies to have experienced multiple breaches. Today, cybersecurity has taken a seat in core business strategy discussions as the risks and costs have risen dramatically. For this reason, 75% of organizations…

How IBM secures the U.S. Open

2 min read - More than 15 million tennis fans around the world visited the US Open app and website this year, checking scores, poring over statistics and watching highlights from hundreds of matches over the two weeks of the tournament. To help develop this world-class digital experience, IBM Consulting worked closely with the USTA, developing powerful generative AI models that transform tennis data into insights and original content. Using IBM watsonx, a next-generation AI and data platform, the team built and managed the entire…

How the FBI Fights Back Against Worldwide Cyberattacks

5 min read - In the worldwide battle against malicious cyberattacks, there is no organization more central to the fight than the Federal Bureau of Investigation (FBI). And recent years have proven that the bureau still has some surprises up its sleeve. In early May, the U.S. Department of Justice announced the conclusion of a U.S. government operation called MEDUSA. The operation disrupted a global peer-to-peer network of computers compromised by malware called Snake. Attributed to a unit of the Russian government Security Service,…