Comment from HAUD on NIST removing its recommendation for the use of SMS for two-factor authenthication
July 2016 by Kevin Panzavecchia, CTO of mobile network security experts HAUD
In its latest set of security guidelines, NIST, the technology standards body of the US, has said that using SMS for two-factor authentication has become “deprecated” and that it will no longer recommend the use of text messages for security purposes in future versions of its guidance.
Kevin Panzavecchia, CTO of mobile network security experts HAUD argues that it is possible to fix the vulnerabilities associated with recent high profile mobile network hacks, and that the benefits of the system still outweigh the negatives.
“While the continued use of SMS for two-factor authentication (2fa) does indeed face some challenges, it is impossible to ignore the many benefits it offers to securing and protecting user accounts. No other platform has the same level of ubiquity, and for software architects that wish to implement 2fa systems that are both secure and accessible, it is still the clear front runner.
“The challenges facing SMS 2fa are not insurmountable, and MNOs have a role to play in ensuring their networks are secure for vast array of applications currently by their subscribers, including this type of traffic. By implementing a mobile network firewall that can filter and protect against misuse of Category 1, 2, and 3 SS7 traffic, MNOs can make sure that their networks remain safe for the transfer of sensitive information via SMS.“