The National Institute of Standards and Technology of the U.S. Department of Commerce ("NIST") has issued a proposed version of its Special Publication 800-63-3: Digital Authentication Guideline ("SP 800-63-3"). The proposed changes include:
- Verifying that phone numbers used for multi-factor authentication are attached to a mobile phone; and
- Deprecating SMS as delivery mechanism for one-time use codes for multi-factor authentication.
For complete details on the proposed changes, or to submit feedback to the NIST, see the full draft publication.
ACA Aponix Commentary
This NIST publication is in draft form and has yet to be adopted. The deprecation of SMS as a valid two-factor delivery mechanism stems from the widespread availability of text messaging on non-mobile computing devices, which invalidates the requirement that a mobile phone be present to receive the code. In addition, stolen passwords are often reused for web portals for cell phone service providers that provide access to text messages.
Popular alternatives to SMS as a two-factor authentication method include rotating codes in applications on phones (aka “soft tokens," such as those in Google Authenticator, RSA’s mobile app, and others), or use of push authentication, in which users are prompted to validate a connection (such as with Duo, Okta, and others).
If you have any questions, please contact your ACA Aponix consultant or email us at email@example.com.