NIST Shouted, Who Listened? Analyzing User Response to NIST's Guidance on SMS 2FA Security


In late July 2016, SMS was formally declared undesirable and not recommended by National Institute of Standards and Technology (NIST). While not enough time has passed to draw a definitive conclusion, it appears Duo SMS-based authentications have not declined significantly despite this declaration. It’s encouraging, however, that Duo Push (a more user-friendly and secure method) has been consistently increasing in use. Duo also encourages U2F as more services begin to support it as a secondary authentication method.

Click here for further information about NIST’s recommendations, see data from Duo and more in this blog by Mayank Saha.


When I read about the NIST recommendation on SMS in late July, I contacted DUO to make sure they were aware, and then removed SMS authentication as an option for our 500+ DUO users.