It might be time to say goodbye to those text messages containing PINs to help you log into your favorite banking site.
The U.S. National Institute of Standards and Technology (NIST) released a draft of its latest guidelines on digital authentication this week, and it contains a disturbing bit of news for many financial services companies: SMS notifications are not recommended for two-factor authentication due to inherent vulnerabilities.
The NIST is the part of the Department of Commerce that sets national technology standards.
NIST argues that above all, two-factor authentication is insecure because a user may not be in possession of his device. Instead, NIST recommends biometric methods of authentication, such as Apple’s Touch ID — something you are rather than something you have.
“This is a huge deal in my opinion,” said Yaniv Oz, co-founder and CEO of Hermetic Security, a startup in the current, inaugural class of the Bank Innovation INV accelerator, a sister venture to Bank Innovation. “Many banks will have to reevaluate their 2FA systems.”
Not only banks, but many tech-forward fintech players rely on the same method. Two-factor authentication employing SMS is used by the nation’s three largest banks — JPMorgan Chase, Wells Fargo, and Bank of America — as well as other banks. Fintech companies such as Circle and Coinbase, according to the site twofactorauth.org.
Some of these companies already employ alternative methods, which will make the transition away from SMS simpler, but removing an option users are comfortable with can bring problems of its own.
Tech giants such as Facebook and Google have already moved away from SMS-based two-factor authorization, in favor of codes generated within their own app.
In addition to the device being stolen or otherwise in the wrong hands, NIST points out that some VoIP services are able to take over SMS messages. (Some phone users allow children or spouses to add fingerprints to Touch ID in order to share devices, but that’s another matter.)
This remains a draft version of the digital guidelines, but it appears that SMS’s days as an authentication enabler are, er, numbered.
In Europe we fixed the problem with a traditional SMS 2FA authentication by introducing as an additional security element a varying SENDER number of SMS – since it is easy for a man in the middle to listen in SMS messages from a static sender number. This was further enhanced by requiring the end user to REPLY to the SMS with a varying reply code. This provides two additional layers of security and we believe this improvement has made SMS based authentication as secure as app based code generator ( while replying an SMS is easier to an average consumer customer than using a code generator).