Two-factor authentication with SMS is a great way to keep your online accounts safe and secure, but it may not be tough enough. The National Institue of Standards and Technology (NIST) is taking a stance against the popular method and pushing for more complicated versions of two-factor authentication instead.
NIST recently published a public preview of its upcoming special publications. The documents actively discourage using SMS for two-factor authentication, arguing that the system “is deprecated, and will no longer be allowed in future releases of this guidance.” In the short term, SMS will still be allowed as long as you’re not using a virtual phone number service, but it will likely be discouraged entirely in the future
There are plenty of other more complicated alternatives to SMS when it comes two-factor authentication. There’s Google Authenticator, a special smartphone app that generates one-time passwords. You could also carry around a hardware key, which could be a USB dongle or a smart card.
Shifting away from SMS-based two-factor authentication may seem like a strange move, especially when so many people still rely on regular insecure passwords. The NIST clearly wants to improve security overall, but it may actually discourage people from protecting their own accounts as a result.