NIST To Ban SMS Two-Factor Auth

grarpamp grarpamp at
Mon Jul 25 23:21:35 PDT 2016

DRAFT NIST Special Publication 800-63B
Digital Authentication Guideline
Authentication and Lifecycle Management
This document and its companion documents, SP 800-63-3, SP 800-63A,
and SP 800-63C, provide technical and procedural guidelines to
agencies implementing electronic authentication to choose and
implement effective authentication processes based on risk. The
recommendation covers remote authentication of users (such as
employees, contractors, or private individuals) interacting with
government IT systems over open networks. It defines technical
requirements for each of the three authenticator assurance levels.
If the out of band verification is to be made using a SMS message on a
public mobile telephone network, the verifier SHALL verify that the
pre-registered telephone number being used is actually associated with
a mobile network and not with a VoIP (or other software-based)
service. It then sends the SMS message to the pre-registered telephone
number. Changing the pre-registered telephone number SHALL NOT be
possible without two-factor authentication at the time of the change.
OOB using SMS is deprecated, and will no longer be allowed in future
releases of this guidance.

More information about the cypherpunks mailing list