Despite NIST’s warnings, SMS still being used for two-factor authentication

Six months after SMS authentication was deemed insecure, little has changed, according to a new report from Duo Security.

Despite increasingly loud warnings from the National Institute of Standards and Technology, people are still using SMS messages for two-factor authentication in order to protect their accounts and networks.

Over the summer, NIST pushed U.S. government agencies to move away from SMS authentication, which is impossible to verify and easy to intercept. But six months after the security edict against SMS, little appears to have changed, according to a new report from Duo Security, a firm focused on secure access.

SMS authentication “still accounts for hundreds of thousands of authentication requests a day showing no significant change after NIST updated its guidance,” Duo’s Mayank Saha wrote.

The most popular authentication tool are authentication apps like Google Authenticator and RSA SecurID, a method sharply on the rise over the last year. That’s followed by phone calls and text messages. Last on the list are Universal 2-Factor tools like NitroKey and YubiKey which has seen a “huge spike in orders this year,” according to the company, but remains by far the least-used method of authentication.


U2F keys are widely considered the most secure authentication tool because they cannot be spoofed, intercepted or phished the way other methods can. By design, however, U2F requires a new piece of paid hardware and a short but significant learning curve. When compared to the ease of use for apps and text messages, U2F will struggle mightily to gain widespread use for that reason. The method may thrive in highly regulated environments, though, where security practices can be strictly mandated.

Although there has been no significant change since NIST issued the new guidelines, the use of SMS has been in “gentle decline” since the beginning of 2016.

Using SMS as verification for your accounts is widely seen as a clear step up from passwords alone. But when you’re looking at highly-targeted people like U.S. government personnel, the security problems that plague SMS are widely seen as beyond repair. Highly vulnerable texts leave government networks open to the kind of hacking seen against targets in Iran, Russia and America.

“While a password coupled with SMS has a much higher level of protection relative to passwords alone, it doesn’t have the strength of device authentication mechanisms inherent in the other authenticators allowable in NIST draft SP 800-63-3,” Paul Grassi, NIST’s senior standards and technology adviser, explained earlier this year. “It’s not just the vulnerability of someone stealing your phone, it’s about the SMS that’s sent to the user being read by a malicious actor without getting her or his grubby paws on your phone.”

NIST’s Digital Authentication Guideline has concluded its public comment period. A new draft is due by the end of the year. The agency is still accepting comments until December 16 on biometric authentication.

Latest Podcasts