sms authentication

What a difference a year makes. As related in AppDev Magazine’s recent newsletter, just one year after NIST, the National Institute of Standards and Technology issued guidance that found SMS insecure and no longer suitable as a strong authentication mechanism; it has backpedaled to reduce their previously strong statements and instead offers a new, softer recommendation. According to this article, NIST proposed “deprecating” SMS 2FA last year because of vulnerabilities… Read more


Top 5 Security Stories in 2016

2016 was another stunning year in the battle against hackers. The bad guys were more than up to the task with new attacks and an endless display of innovation that challenged even the best security strategies. Yahoo’s topped their half-billion record breach with a billion-record breach, ransomware ran amok, DDoS attacks scaled to new heights, the endpoint grabbed major attention, and the U.S. political process ended up in Russia’s crosshairs…. Read more


GAO report on privacy and security: a wake-up call for HHS?

For years, I have been a vocal proponent of securing protected health information. It is no secret that The U.S. Department of Health and Human Services (HHS) swept security and authentication under the rug during the rollout of electronic health records (EHRs) as to not to impede adoption of electronic records by providers by making it difficult to use them. The current minimum requirements for identity assurance are set low, requiring… Read more


Convenience Over Security is Often Not the Best Policy

Now NIST says SMS authentication is a “no-go” Forget your password?  No problem, just click “reset password” to receive a one-time code sent via SMS to your registered mobile phone.  From there you can create a new password to access your account. Inexpensive and Convenient?  Absolutely! Secure?  Maybe. Well, for federal agencies, “maybe” does not make the grade when it comes to security and the National Institute of Standards and… Read more


August 2, 2016 - Andrew Showstead
SMS is insecure, and is no longer suitable as a strong authentication mechanism.

The news is in that the National Institute of Standards and Technology has finally stated what both security professionals and hackers alike have known for years: SMS is insecure, and is no longer suitable as a strong authentication mechanism.  SMS Messages are not protected from the wrong eyes seeing them, and there is no assurance that they will actually go to the intended recipient.  So everyone knew this day was… Read more