On July 29, Paul Grassi, the Senior Standards and Technology Advisor at the National Institute of Standards and Technology (NIST) posted an unusual blog regarding the new draft NIST Special Publication 800-63-3: Digital Authentication Guideline. The main issue that has created significant commentary by the press and businesses is NIST’s “deprecation” of using SMS (text messages) as a second authentication factor. SMS has been adopted by many companies as the primary second authentication factor. The NIST Special Publication, if adopted in its current form, applies to US Federal Government Agencies and their contractors, but many companies follow NIST standards closely. Mr. Grassi explains in his post that the risk that NIST has identified with SMS is that SMS may no longer be attached to a mobile phone. With voice over IP (VoIP) and other interned-based services, SMS is now interoperable with multiple services. “An SMS sent from a mobile phone might seamlessly switch to an internet message delivered to, say, a Skype or Google Voice phone number. Users shouldn’t have to know the difference when they hit send—that’s part of the internet’s magic.” However, while that makes it easier for the user, NIST believes that it increases the security risk to an unacceptable level. Even if the SMS could be associated with a particular device, NIST states that there is a risk of the SMS being intercepted by a malicious actor. Mr. Grassi goes on to explain that “deprecation” means that SMS may be used for now, but “it’s on its way out.” This will eventually cause businesses to re-evaluate the risks associated with SMS and most likely change their authentication operations and individuals to learn new ways of interacting with online services.

[View source.]