Healthcare Information Security

Cybersecurity News

NIST Urges End of SMS Messaging in Two-Factor Authentication

A recent NIST draft guide warns that SMS messaging as part of two-factor authentication is not as secure as other options and could be intercepted or redirected.

By Elizabeth Snell

Using SMS messaging in two-factor authentication has the risk that information may be intercepted or redirected, and other alternatives should instead be considered, according to a National Institute of Standards and Technology (NIST) draft guide.

NIST cautions use of SMS messaging in two-factor authentication

The Digital Authentication Guideline discusses different types of authentication options, requirements, and lifecycle management. The guide is meant to “provide technical and procedural guidelines to agencies implementing electronic authentication to choose and implement effective authentication processes based on risk,” NIST explained in a report summary.

“Digital authentication is the process of establishing confidence that a given claimant is the same as a subscriber that has previously authenticated,” the report’s authors explained. “This guideline addresses how an individual, known as a claimant, can securely authenticate to a Credential Service Provider to establish the context for a remote digital interaction.”

NIST explained that out of band authentication that uses SMS messaging is “deprecated and may no longer be allowed in future releases.” Out of band authentication measures are physical devices “uniquely addressable and can receive a verifier-selected secret for one-time use.”

“Two key requirements are that the device be uniquely addressable and that communication over the secondary channel be private,” NIST stated. “Some voice-over-IP telephone services can deliver text messages and voice calls without the need for possession of a physical device; these SHALL NOT be used for out of band authentication.”

The report adds that certain smartphone applications that use secure communication protocols are preferable options to out of band communication.

Multi-factor authentication measures, authenticators that are difficult to duplicate, and authenticators with dynamic outputs can all be beneficial in creating threat mitigation techniques against potential outsider attacks, the report’s authors explained.

“Multiple factors make successful attacks more difficult to accomplish,” NIST stated. “If an attacker needs to both steal a cryptographic authenticator and guess a memorized secret, then the work to discover both factors may be too high.”

Physical security measures, periodic training, and current system and network security controls were also listed as potential threat mitigation strategies.  

NIST has previously produced guidelines that would potentially affect healthcare data security measures. For example, earlier this year the agency released the final draft on its development process for cryptographic standards and guidelines.

The NIST standards, guidelines, and supportive documents are not requirements for healthcare organizations to follow, but they can assist keeping covered entities current with the latest healthcare data encryption standards.

In healthcare secure texting, SMS messaging has long been described as not being HIPAA compliant. However, covered entities can sometimes have a difficult time steering employees toward other options.

The University of Chicago found in a study toward the end of last year that nearly 71 percent of respondents preferred SMS messaging for overall efficiency, and 80 percent preferred it for its ease of use.

Researchers acknowledged that HIPAA rules do not specifically ban SMS messaging, there are standards for establishing proper data security standards. Researchers wrote that there is an expectation that professionals will create ways to integrate secure direct messaging into practice while still keeping a high standard of security.

“By not banning specific technologies, these expectations recognize the fact that new technologies can improve the efficiency and quality of care, but they require that providers and health systems together account for the rights of patients to have their information protected,” the researchers said. “Additionally, they should also be engaged in finding and promoting technologies within their institutions, such as secure SMS text messaging apps that are both HIPAA compliant as well as efficient and easy to use.”

Dig Deeper:


SIGN UP and gain free access to articles, white papers, webcasts and exclusive interviews on

HIPAA Compliance
Data Breaches

Our privacy policy

no, thanks