The death of the SMS OTP

The National Institute of Standards recently issued a ruling on digital authentication that states SMS messaging as a second authentication factor should now be considered insecure. While sending an SMS for OTP is still better than having no additional authentication factors, the NIST ruling suggests that organizations wanting to raise the bar on their security standards consider more secure authentication methods.

You can read the rest of my white paper for Vasco (reg. req.) here.

1 thought on “The death of the SMS OTP

  1. FULL DISCLOSURE: I am the holder of a patent that uses mobile-originated SMS for authentication. My references to that technology in the comment below, however, are factual and not based on opinion.

    NIST’s recommendation is pretty clear… as far as it goes. Reading their paper in detail it is clear that the SMS authentication method they are recommending be deprecated is when a text is sent to the mobile (mobile terminated or MT) containing a OTP. SMS authentication methods that use mobile-originated (MO) texts are not impacted by the weaknesses noted in their recommendations.

    MO-based SMS authentication offers stronger security from several perspectives, including that it piggybacks on the cellular carriers’ own security processes for an additional very strong layer. Even in the event of a stolen phone the MO SMS method is more secure; OTPs that are sent to the phone are almost certainly going to appear on a locked screen in a preview as the vast majority of users leave the default preview option set to show. Sending an SMS from a stolen phone, however, requires that the thief can unlock the screen to send the text.

    There are other reasons that MO-based SMS authentication is stronger and more secure than the method which NIST rightly recommends against continuing. MO SMS authentication is the way that two-factor authentication *should* have been designed in the first place, but it was not.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.