July 28, 2016 By Douglas Bonderud 2 min read

Companies recognize the value of two-factor authentication since passwords alone are no longer enough to secure user accounts and protect businesses in the event of malicious data loss. For many organizations — Twitter, Facebook and Google, to name a few — the shortest route to improved security is the use of SMS messaging to deliver single-use codes that users must enter in addition to passwords.

The problem: According to a new National Institute of Standards and Technology (NIST) draft, SMS two-factor authentication may not be so secure. Is it time to trash the texts for something better?

An Easily Exploited System

So what’s the problem with text messages? They seem like the perfect solution since they’re quick to send and only require users to provide their best contact number. As noted by CSO Online, however, cybercriminals have already found ways to work around this supposedly secure system.

For example, smartphones infected with malware can secretly redirect texts to another device, while more enterprising criminals are calling up phone companies and impersonating their potential victims, convincing operators to re-route secure texts.

The NIST draft also warned that software-based phone numbers, such as those connected to VoIP systems, could be vulnerable to cyberattacks and text theft. Users don’t know they’ve been victimized until after accounts are breached and financial or personal data is stolen. If users can’t easily prove they’ve been attacked or their texts were misdirected, they may be on the hook for any criminal actions.

Alternative Authentication

So far, the NIST has stopped short of asking companies to trash their text programs, but it suggested that companies should always verify that the number they’re texting is a true mobile phone and “generate a random authentication secret with at least 20 bits of entropy using an approved random number generator.” NIST further advised that codes should not be displayed on the lock screens of mobile devices.

Another option is to use authentication apps, which require the user to initiate code generation. The NIST said that “mechanisms such as smartphone applications employing secure communications protocols are preferred for out-of-band authentication.” While this doesn’t guarantee security since attackers could still take control of the mobile device itself, apps significantly reduce the chance of in-transit interception or eavesdropping.

As noted by ZDNet, other alternatives include biometrics such as fingerprints or eye scans, but the NIST cautioned that the amount false match rates and false nonmatch rates make it difficult to confirm user identity. There’s also movement toward selfie identification, and companies like MasterCard have introduced apps that prompt users take a picture of themselves. This photo is then compared to a photo submitted at the time of registration.

Time to Trash SMS Two-Factor Authentication

SMS two-factor authentication was never designed as a catch-all, but rather a security time-saver that at least offered increased peace of mind. But just like software or network defense, cybercriminals have found ways to circumvent and compromise SMS codes. Time is running out to toss the texts and opt for new authentication tech.

More from

New memo reveals Biden’s cybersecurity priorities through fiscal year 2026

2 min read - On July 10, 2024, the White House released a new memo regarding the Biden administration’s cybersecurity investment priorities, initially proposed in July 2022. This new memorandum now marks the third time the Office of the National Cyber Director (ONCD), headed by Harry Coker, has released updated priorities and outlined procedures regarding the five core pillars of the National Cybersecurity Strategy Implementation Plan (NCSIP), now relevant through fiscal year 2026. Key highlights from the FY26 memorandum In the latest annual version…

How prepared are you for your first Gen AI disruption?

5 min read - Generative artificial intelligence (Gen AI) and its use by businesses to enhance operations and profits are the focus of innovation in virtually every sector and industry. Gartner predicts that global spending on AI software will surge from $124 billion in 2022 to $297 billion by 2027. Businesses are upskilling their teams and hiring costly experts to implement new use cases, new ways to leverage data and new ways to use open-source tooling and resources. What they have failed to look…

Cybersecurity crisis communication: What to do

4 min read - Cybersecurity experts tell organizations that the question is not if they will become the target of a cyberattack but when. Often, the focus of response preparedness is on the technical aspects — how to stop the breach from continuing, recovering data and getting the business back online. While these tasks are critical, many organizations overlook a key part of response preparedness: crisis communication. Because a brand’s reputation often takes a significant hit, a cyberattack can significantly affect the company’s future…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today