Duo aligns with NIST on new authentication guidelines


The U.S. National Institute for Standards and Technology (NIST) has deemed SMS-based two-factor authentication as no longer secure enough to keep hackers out.

Duo has known this for awhile now, which is why we recommend using more secure two-factor authentication methods like push notifications, instead of SMS. In addition to the FTC (Federal Trade Commission), Google, FIDO (Fast IDentity Online) Alliance and others, Duo has provided input to NIST on moving the NIST Special Publication 800-63 guidelines for authentication away from prescriptive technologies to defining characteristics required for each level.

NIST will be deprecating the authentication method, as noted in the latest draft of the Digital Authentication Guideline.

Learn more in the latest Duo blog post.


Is there a way to warn users to not use SMS auth if they choose this option? Or is there a way to disable SMS on a per account basis?


You betcha!

Authentication Methods can be enabled and disabled at the Application and Group level: Policy & Control | Duo Security



We need to disable text messaging authentication for admin users. I don’t think this is currently possible.
Could you please advise on the availability to disable text message authentication for admin users?