Linked – Say Farewell to SMS-Based Two-Factor Authentication?


The U.S. National Institute for Standards and Technology (NIST) says in a new draft of its Digital Authentication Guideline that SMS-based two-factor authentication should not be used due to security concerns. “[Out of band verification] using SMS is deprecated, and will no longer be allowed in future releases of this guidance,” the documents reads.

As Engadget notes, NIST guidelines aren’t binding. But federal agencies typically abide by them, and the private sector will likely fall in line, too.

So what’s next then? SMS was a nice alternative because everyone already has a cell phone, and carries it, so having the code sent there made a lot of sense. If we move away from that, where do we go? Authenticator apps are ok, but they require a data connection to the internet. That isn’t as easy, especially if I’m overseas or somewhere where there is no cell service. Now, to get into my email, for example, I have to attach my laptop, and my cell phone, to wifi just to get the code. Not impossible, but not really as easy.

Plus, once we move away from SMS, hackers will be right after those apps too. It never ends.


Similar Posts


  1. Authenticator apps, or the ones that i use don’t require internet access. That’s kind of the point. They can be used totally offline (although you need to be online to use the thing thats asking for your 2fa password – but that can now be a different dewvice to the one generating the password.

    1. Oh well, there you go, I didn’t even realize you could use the authenticator app without an internet data connection. I take it back, that may be the next thing we head to, though that does require a smartphone instead of “any” cell phone, but that is becoming less of an issue.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.