NIST Denounces SMS 2FA - What are the Alternatives?
Towards the end of July 2016, the National Institute of Standards and Technology (NIST) started the process of deprecating the use of SMS-based out-of-band authentication. This became clear in the issue of the DRAFT NIST Special Publication 800-63B, Digital Authentication Guideline.
NIST Special Publications (SP) 800 series are required by the Office of Management and Budget (OMB) policies for almost all federal agencies. They are not required for privOate business. Nevertheless, they form part of the NIST Risk Management Framework (RMF) that is used by many U.S. organizations as the base framework for their own security policy. Conformance to the NIST RMF would certainly benefit companies wishing to do business with government departments.
The key paragraph in the new draft comes in section 18.104.22.168. Out of Band Verifiers: Due to the risk that SMS messages may be intercepted or redirected, implementers of new systems SHOULD carefully consider alternative authenticators. If the out of band verification is to be made using a SMS message on a public mobile telephone network, the verifier SHALL verify that the pre-registered telephone number being used is actually associated with a mobile network and not with a VoIP (or other software-based) service. ...
Read more at Security Week