Goodbye 2FA

Goodbye SMS 2-factor authentication and we won’t miss you

August 5, 2016 – Welcome to the future: SMS 2-factor authentication is on its way out.

The US National Institute for Standards and Technology (NIST) is planning to drop SMS validation from the most recent draft of the Digital Authentication Guideline, and it’s none too soon. Let’s face it, 2FA is a hassle from a user’s perspective. Not only is your phone not always handy, sometimes it takes forever to get the text, input the code into the form, and wait for the ok from the authentication gods. Just more friction to add between the brand and the user getting what they want. Well, last week many people’s prayers were answered when NIST stated that “OOB [out of band validation] using SMS is deprecated, and will no longer be allowed in future releases of this guidance.” This means that sooner than later, the use of SMS will be frowned upon as a means of 2-factor authentication. The main reason for this decision against endorsing SMS 2FA is that it isn’t able to verify whether or not the smartphone that the SMS is being sent to is actually in possession of the owner of the device.


Another reason is that the SMS can be hacked by a VoIP service trying to gain access to the users’ account. And finally the light So the question remains: what will replace this security measure? For the time being, NIST is still recommending two-factor authentication, but in the form of secure applications and biometrics. The latter is referring to physical biometrics, such as fingerprint scanning and retina scans (any input where the user is aware that information is being collected). But physical biometric validation metrics are also flawed in that they can be mimicked. What if the user is passed out at a party and someone lifts the victim’s finger to their phone to access sensitive data? What if violence is used to force a retina scan? What happens when a fingerprint is copied using printer ink and used on a stolen phone? Rubber fingerprint caps are already for sale on the market. So, while physical biometrics may be a step up from a simple SMS validation, it’s not going to be the all-in-one solution many were hoping for. In an ideal world, our computers will know whether we are who we claim to be online or not without us having to do any work at all. And we are not as far off from this world as you might think. We all know the incredible power that the latest and greatest devices these days are capable of as far as data collection goes. Phones can sense how hard a user pushes their screen, the angle that a device is being held, their online banking login habits, and even what typos and typing patterns they tend to make.


While it may be seen as an invasion of privacy, no actual personally identifiable data is collected by these systems. Plus, when you consider the very real threat of data breaches that are only increasing (Account Takeover and New Account Fraud are expected to rise 60% by 2018) this data collection suddenly becomes a very useful armour against ATO and new account fraud threats. If our machines can understand who we are based on our unique interactions with them, behaviors that cannot be lost, imitated or stolen, then we are looking at a very powerful solution to a very real problem. With this information, we can get to a place where 2FA seldom needs to be used as a validation means, since we already know who the user is.

Want to read more posts like this? See our full blog here.