The U.S. National Institute for Standards and Technology (NIST) has deemed SMS-based two-factor authentication as no longer secure enough to keep hackers out.
Duo has known this for awhile now, which is why we recommend using more secure two-factor authentication methods like Duo Push, instead of SMS. In addition to the FTC (Federal Trade Commission), Google, FIDO (Fast IDentity Online) Alliance and others, Duo has provided input to NIST on moving the NIST Special Publication 800-63 guidelines for authentication away from prescriptive technologies to defining characteristics required for each level.
NIST will be deprecating the authentication method, as noted in the latest draft of the Digital Authentication Guideline.
What is SMS-Based Two-Factor Authentication?
In SMS two-factor authentication, you first log into an application using a primary method of authentication, typically your username and password. After, your two-factor authentication provider sends a one-time passcode (OTP) via a SMS text message to your phone. Then, you type in the passcode into the prompt in order to complete authentication and log into your application.
Why SMS Two-Factor Authentication is Not Secure
Specifically, NIST states that SMS-based two-factor authentication isn’t secure because the phone may not always be in possession of the phone number, and because SMS messages can be intercepted and not delivered to the phone.
This method relies on the security of the telephony and carrier infrastructure, which is typically not very secure, according to Duo’s CTO Jon Oberheide. For example, the U.K.’s leading broadband and phone provider was breached last October, affecting millions of customers.
The lapse security practices of telephony providers can lead to the theft of one-time passcodes (OTP), which means your SMS codes can get intercepted and your login sessions hijacked by attackers.
Additionally, many apps on the average phone have access to the SMS inbox, meaning OTPs can be easily stolen, even without physical access to your phone. Examples of those apps include messaging apps that redirect SMS, such as Google Messenger and Hangouts.
That means, if you have an entirely different application on the same phone that you use to authenticate via the SMS method, an attacker could potentially access your SMS inbox via that application. Thus - remotely stealing the code sent to your phone.
OTPs are also more susceptible to phishing attempts than other methods. OTPs require you to enter a code into a website, served up by your browser. It’s possible that attackers could spoof a fake website to both steal your primary method of authentication (username and password) and your secondary method (your OTP).
So, What Method Should I Use?
Duo recommends using Duo Push powered by our Duo Mobile authentication app, which sends an Approve or Deny notification to your phone after your identity provider completes your primary authentication. It’s an easy and secure way to verify that it’s you logging in, with the tap of a button. This method is faster than typing in a passcode, and ideal for the most secure access with minor interruptions to your workflow.
U2F, or Universal 2nd Factor is also a more secure method that we recommend using. Created by the FIDO (Fast IDentity Online) Alliance, U2F is a strong industry standard for two-factor authentication that uses U2F authenticators, such as a USB device. This device protects a user’s private keys with a tamper-resistant component known as a secure element (SE). Duo is an active FIDO member, providing U2F as a secure two-factor authentication method for all customers.
Learn more in our Two-Factor Authentication Evaluation Guide.