Blog Home > Authentication Security > SMS OTP Delivery – NIST Restricts Out of Band Authentication

SMS OTP Delivery – NIST Restricts Out of Band Authentication


SMS OTPIn the world of modern 2FA, SMS OTP options are extremely popular.  They provide additional authentication security, without breaking the bank or making things too difficult for end-users.  However, it looks like the National Institute of Standards and Technology (NIST) believes the days of using an SMS OTP for 2FA might just be over. Within the new Public Preview of the NIST Special Publication 800-63B Digital Authentication Guideline are a few mentions of the future of SMS OTP delivery, and Out of Band Authentication in general.

What is Out of Band Authentication?

By this point in time, just about everyone and their mother knows what Two Factor Authentication is.  That is a topic that is simply impossible to miss while scrounging about the Internet.  The term ‘Out of Band authentication,’ on the other hand, is not quite as common.  In terms of SMS OTP delivery, Out of Band (OOB) Authentication is essentially the blanket term for this type of 2FA.

OOB Authentication refers to a 2FA method which uses a communication channel other than the one providing primary internet access in order to deliver an OTP. Out of Band Authentication was intended as a way to mitigate attacks similar to Man in the Middle attacks.  This is done by simply cutting out any weak intermediary links.  SMS OTP Delivery allows authentication to take place without a weak middle point.  Users simply confirm what they see in order to prove authentication – increasing security and maintaining usability. It’s and end-users dream, in a way.

However, as authentication security technology has evolved, so too have the hackers.

It seems that NIST views the potential vulnerabilities in SMS OTP delivery to be too important to ignore.  In the most recent draft of security guidelines, best practices for OOB authentication have been revised. NIST is looking to help every organization achieve better security with minimal risk by cutting out the risk of proverbial middle-man.  This is especially true for SMS OTP generation and delivery for authentication.

What does this mean for SMS OTP Delivery?

For the moment, things are up in the air. The draft for NIST Special Publication 800-63B clearly states the new direction (emphasis theirs):

“Out of band verifiers SHALL generate a random authentication secret with at least 20 bits of entropy using an approved random number generator. They then optionally signal the device containing the subscriber’s authenticator to indicate readiness to authenticate.

Due to the risk that SMS messages may be intercepted or redirected, implementers of new systems SHOULD carefully consider alternative authenticators. If the out of band verification is to be made using a SMS message on a public mobile telephone network, the verifier SHALL verify that the pre-registered telephone number being used is actually associated with a mobile network and not with a VoIP (or other software-based) service. It then sends the SMS message to the pre-registered telephone number. Changing the pre-registered telephone number SHALL NOT be possible without two-factor authentication at the time of the change. OOB using SMS is deprecated, and may no longer be allowed in future releases of this guidance.”

Follow the Leader

Despite the fact that the NIST guidelines specifically note ‘OOB using SMS is deprecated,‘ best practices are presented to better secure instances where SMS OTP delivery is currently in use.  Personally, I always wondered when someone would take issue with VoIP services and the like, given their susceptibility to attack.  Not to mention, of course, that using a digital service to mimick a mobile network reintroduces the possibility of Man in the Middle Attacks – the whole point of OOB.

Of course, NIST Publications and Standards typically only have an immediate effect on the Federal Government. However, these policies have a trickle-down effect on the Public and Private sectors of information security. In terms of best practices for Two Factor Authentication and SMS OTP delivery: it’s safe to bet on NIST for the safest, most secure direction.

Options to Consider

With SMS OTP options heading into the bin, end-users need new options that provides security without sacrificing utility.  Ignoring that fact will cause more security holes to crop up within seemingly secure environments.  This inevitably leads to breaches and data dumps akin to the recent WikiLeaks fiascos.  Fortunately, there are plenty of options out there to consider for bringing usable 2FA into any environment.

Up to Bat:
  • Secure Mobile Authenticator

It is important to note that the NIST Guidelines do not point to mobile devices as the major worry.  A secure mobile device is still a viable alternative to SMS OTP Delivery. This is especially in the form of a mobile authenticator such as Google Authenticator.  These applications add an additional level of security to a user’s account, without being too difficult to implement.  It is important to note that this method does require some labor on behalf of the user. However, the process is as simple as the process instituted via SMS OTP delivery.

  • One-Touch Hard Tokens

Hard Tokens are notorious for being obnoxious and very hands-on.  However, there are many options for Hard Tokens that simplify the process, almost on par with SMS OTP delivery.  One-Touch tokens such as Yubico’s Yubikey are not only secure and easy to use – they are often affordable as well.

The Runner-Up’s:
  • SIP Authentication

Although not as simple as SMS OTP options, SIP authentication allows you to have an OTP delivered over a landline.  SIP uses dedicated text-to-speech software, cutting the need for additional resources. For certain environments, this is simple to implement, and mostly hands free.

  • Challenge Questions

A grand staple for authentication no matter where you are. Properly configured Challenge Questions provide a nice addition of security without too much additional strain on the end-user.

  • Grid Authentication

For a more intriguing approach to Knowledge Based Authentication (KBA), check out Grid Authentication.  Grid authentication takes the idea of a pattern lock – as seen on mobile device lock screens – and pits that as an extra layer for authentication.  Though ostensibly weaker than other 2FA methods, Grid Authentication is definitely worth keeping an eye on.

“We’ve Got You Covered”

SMS OTP Delivery might be on its way out, but we’ve got you covered. Solutions like PortalGuard provide a whole host of options to find that perfect balance between security and usability.  All of the above 2FA options and more are included in our default package to ensure that you find exactly what you need. With the constantly evolving standards for authentication security, the best practice is to have a solution that provides options and never falls behind.

Flexible Two Factor Authentication

Please follow and like us:
Christopher Perry

Author: Christopher Perry

Christopher is a Technical Support Engineer and content generator here at PistolStar, Inc. He has a Master’s Degree in English from SUNY Albany, and enjoys reading and writing about all things: especially poetry, science fiction and fantasy. Christopher’s daily tasks see him using his customer service and IT experience to improve written content for PistolStar, Inc., while working with customers to provide the best experience possible.


  1. So there is a media frenzy about the NIST SMS A2P proposed deprecation, take a look at my latest blog, I explore the options and recommend practical way forward. These the proposed guidelines may lead to 72% of Americans not adopting 2FA at all.

  2. Each attack scenario and application must be considered independently for vulnerabilities. For example, one time passcodes from an authenticator app provides no protection against phishing and man-in-the-middle attacks. On the other hand, when transaction details are provided for verification, SMS can be quite an effective tool for stopping fraudulent transactions.

Leave a Reply

Required fields are marked *.

Main menu