NIST Shouted, Who Listened? Analyzing User Response to NIST's Guidance on SMS 2FA Security


#1

In late July 2016, SMS was formally declared undesirable and not recommended by National Institute of Standards and Technology (NIST). While not enough time has passed to draw a definitive conclusion, it appears Duo SMS-based authentications have not declined significantly despite this declaration. It’s encouraging, however, that Duo Push (a more user-friendly and secure method) has been consistently increasing in use. Duo also encourages U2F as more services begin to support it as a secondary authentication method.

Click here for further information about NIST’s recommendations, see data from Duo and more in this blog by Mayank Saha.


#2

When I read about the NIST recommendation on SMS in late July, I contacted DUO to make sure they were aware, and then removed SMS authentication as an option for our 500+ DUO users.