Holy acronyms Batman! What the heck does this headline mean? Well, the National Institute for Standards and Technology (NIST) has removed two-factor authentication (TFA) via short-messaging service (SMS) from the approved list of two-factor authentication methods. The reason is that SMS is an unencrypted service, and the lack of encryption makes it too insecure for use in Federal authentication systems. NIST is recommending that all companies consider other alternatives, too.
Those alternatives are:
- RSA Key
- Smartphone apps such as Google Authenticator or Authy.
The ink barely dried on my previous post when I was alerted to the impending demise of SMS based two-factor authentication. I accept the point, but in the interim, SMS two-factor is better than no two-factor so I am taking this with a grain or two of salt, and still recommending to my clients that they do whatever works for them to implement TFA that is acceptable to their user groups.