NIST 800-63B: deprecating the use of out-of-band SMS for two-factor authentication

Back to Blog
August 27, 2016
Keith Graham

This week, NIST announced 800-63B – a draft special publication named ‘Digital Authentication Guideline’ for ‘Authentication and Lifecycle Management’. Within this draft, NIST is deprecating their recommendation of using SMS as a delivery mechanism for one-time-passcodes as an out-of-band authentication method.

At SecureAuth, we agree with NIST’s guidance. As a security vendor where authentication is in our DNA, we have believed and demonstrated that basic two-factor authentication alone is no longer enough.

In today’s world where credentials are being stolen daily, the large uptake of SMS as a basic form of two-factor authentication is of no surprise. It’s been relatively easy for companies to implement – the availability of cell phones is now widespread, and while the user experience is not fantastic, it’s generally acceptable given the increase in security.  The reality is though, organizations (whether it’s for corporate or consumer use) are still not doing enough around securing authentication.

However, with this news, it’s important not to throw the baby out with the bathwater. There is arguably some sensationalism being generated in the media as a result of this news, and while we’d advise any SecureAuth customers to use more than just basic two-factor authentication, (such as adaptive authentication techniques or a more secure second-factor method like mobile push) hope is not lost for those organizations that are still using SMS one-time-passcodes.

Per the new guidance from NIST, SecureAuth customers using SMS based one-time-passcodes can already begin to meet the new requirements of the draft.

To begin with, SecureAuth IdP is able to ensure that any access for changes to the pre-registered telephone number are protected by two-factor authentication. Similarly, SecureAuth can also ensure that the receiving telephone number for the SMS one-time-passcode isn’t virtualized, e.g. a VOIP number. We reduce risk today by blocking all virtualized telephone numbers that are not US based, and while we do allow this for US numbers (due to the widespread use of Google Voice) under NIST’s guidance we are now considering blocking this globally once we’ve considered customer impact.

For those SecureAuth customers that are still concerned about the use of SMS as a basic form of two-factor authentication, there are alternatives such as receiving a spoken one-time-passcode via a telephone call, or using more secure forms of two-factor authentication known as ‘push’ that leverage Apple and Google end-to-end encrypted networks.

While these push methods depend on a user possessing a smart phone, this out-of-band method of authentication uses a secure communication protocol for the delivery of the one-time-passcode (or the acceptance of the user granting the authentication request). This conforms fully to NIST’s guidance per the current draft and provides not only a more secure alternative to SMS one-time-passwords, but also an improved user experience for the end user.

While the theme of this article has centered around two-factor authentication and navigating this draft publication from NIST, for those customers who wish to go beyond just two-factor, SecureAuth can also offer additional layers of risk analysis afforded by using Adaptive Authentication.

Adaptive authentication performs risk analysis of the user pre-authentication: before the user is even sent a one-time passcode or prompted for a second factor. These additional layers of risk analysis include: analysis of the authenticating IP address against known threats, analysis of the geographic location combined with logging history, and analysis of aspects of the user’s endpoint device. Adaptive authentication can mitigate risk and help organizations move beyond just two-factor authentication.

Never Miss a Beat
Subscribe to Our Blog

SecureAuth Identity Platform Adaptative Authentication

Identity and Access Management

Empower your digital initiatives with secure access for everyone and everything connecting to your business

Product Features

Adaptive Authentication

Extend verification of a user identity with contextual risk checks

Multi-Factor Authentication

Leverage a broad portfolio of authentication factors for desktop and mobile

Intelligent Risk Engine

Protect your identities with advanced risk profiling analytics

Single Sign-On

Provide app discovery and one-click login through portal or desktop SSO

User Lifecycle Management

Enable admins with strong CRUD capabilities and users with self-service tools

Secure All Identities


Customer Identities

Deliver a frictionless customer experience safeguarding user data and privacy


Workforce Identities

Govern and control access rights for employees, partners, and contractors

Moving Beyond Passwords

Learn how passwords alone no longer provide the appropriate level of protection, nor confidence, required to secure valuable resources


Passwordless Authentication

Reduce the risk of breaches by eliminating passwords

2FA is Not Enough

Block popular phishing and brute force attacks used by bad actors

Protecting Office 365

Extend adaptive authentication and flexible MFA to all apps including Office 365

Securing Portals and Web Apps

Balance strong security and an exceptional user experience

RSA Migration

Transition to a modern identity and access management solution



Financial Services


Energy and Utilities

Public Sector


White Papers


Recorded Webinars

Analyst Reports

Innovation Labs


Support Portal

Events & Webinars



Calculate Your Savings

Lower support costs by enabling your users the control to reset passwords, account unlocks, device enrollment and update profiles

Meet SecureAuth

About SecureAuth