SMS-based two-factor authentication will soon be banned

The US National Institute for Standards and Technology draft guidelines state that SMS is not secure enough for authentication purposes.

Michelle Starr Science editor
Michelle Starr is CNET's science editor, and she hopes to get you as enthralled with the wonders of the universe as she is. When she's not daydreaming about flying through space, she's daydreaming about bats.
Michelle Starr
UIG via Getty Images

In the latest draft of the Digital Authentication Guideline, the rules by which authentication software must abide, the US National Institute for Standards and Technology is preparing to get rid of SMS-based two-factor authentication.

This is where a service provider, such as Gmail, will send you a code via SMS that you will have to enter before you can enter your email account, for example. This is in addition to your password, the "second factor" of authentication.

The measure is being enforced because SMS is relatively insecure. The phone may not be in the original owner's possession, for example, or the SMS may be hijacked by a VoIP service, Softpedia notes.

The relevant paragraph of the draft reads: "[Out of band verification] using SMS is deprecated, and will no longer be allowed in future releases of this guidance."

However, the draft also notes that two-factor authentication via a secure application or biometrics, such as a fingerprint scanner, may still be used.