US government agency calls for the end of SMS authentication

There are other, more secure two-factor systems around.

The US agency that sets guidelines and rules in cryptography and security matters is discouraging the use of text messaging in two-factor authentication. In the latest draft of its Digital Authentication Guideline, the National Institute of Standards and Technology (NIST) states that "[out of band authentication] using SMS is deprecated, and will no longer be allowed in future releases of this guidance." Out of band authentication means utilising a second device to verify your identity.

NIST doesn't make clear why it's deprecating SMS two-factor, but there are a few reasons that make sense. Most phones display text messages on their lock screen, meaning a would-be attacker would be able to authenticate just by looking at your phone. There are also considerable flaws in signalling protocols that make SMS more vulnerable than other methods.

NIST's guidelines aren't legally binding, but other government agencies stick by them, and the industry at large will follow. So what's the alternative to SMS? There are plenty. The most prevalent are dedicated applications that deliver a two-factor code that refreshes every 30 seconds. Google Authenticator, Authy, Duo and other apps all essentially do the same thing with slight differences in presentation and execution. If you work for a large company, you might have used hardware that works on a similar principle, such as RSA SecurID dongles.

There are still plenty of sites and services that only offer SMS-based authentication, while others such as Facebook support both app- and SMS-based methods. And, of course, there are inexplicably some services with no protection at all. Instagram is one such outlier -- it's been slowly bringing two-factor to its userbase this year, but at the time of writing has yet to complete that roll out.