NIST: SMS-based two-factor authentication isn’t strong enough

NIST: SMS-based two-factor authentication isn’t strong enough

The U.S. National Institute for Standards and Technology (NIST) has deemed SMS-based two-factor authentication as no longer secure enough to keep hackers out. Specifically, NIST states that SMS-based two-factor authentication isn’t secure because the phone may not always be in possession of the phone number, and because SMS messages can be intercepted and not delivered to the phone.

That is why ACE IT Solutions partners with DUO to offer more secure two-factor authentication methods, like Duo Push.

What is SMS-Based Two-Factor Authentication?

In SMS two-factor authentication, you first log into an application using a primary method of authentication, typically your username and password. After, your two-factor authentication provider sends a one-time passcode (OTP) via a SMS text message to your phone. Then, you type in the passcode into the prompt in order to complete authentication and log into your application.

two factor authentication duo

Why is Duo’s two-factor solution more secure?

Duo uses Duo Push powered by our Duo Mobile authentication app, which sends an Approve or Deny notification to your phone after your identity provider completes your primary authentication. This method is faster than typing in a passcode, and ideal for the most secure access with minor interruptions to your workflow.

U2F, or Universal 2nd Factor is also a more secure method that we recommend using. Created by the FIDO (Fast IDentity Online) Alliance, U2F is a strong industry standard for two-factor authentication that uses U2F authenticators, such as a USB device. This device protects a user’s private keys with a tamper-resistant component known as a secure element (SE). Duo is an active FIDO member, providing U2F as a secure two-factor authentication method for all customers.

ACE IT Solutions is a Duo partner. Contact ACE IT Solutions for a free trial. We can get you set up so you can see for yourself how easy it is to provide secure access to your mobile devices.

  • This field is for validation purposes and should be left unchanged.