Is SMS-based Two-Step Verification insecure?

The National Institute of Standards and Technology (NIST) recently released a new draft of the Digital Authentication Guidelines.  In this, it was explained that the NIST can no longer recommend the use of SMS-based Two-Step Verification and does not consider this secure anymore, due to the threat that a determined attacker could cause your mobile phone provider to transfer your telephone number to a new device.

Pobox has never provided SMS-based Two-Step Verification. Our primary lockout codes have always been either time-based one-time passwords (TOTP) that are only available for 30 seconds using an authentication app like Google Authenticator (for more visit other authentication apps), or a Yubikey hardware token.

For Pobox Two-Step Verification, SMS-based codes are used for lockout purposes only. Any use of an SMS code will cause an email confirmation to be sent to your admin contacts, so you know if this method has been used. We feel this balances the potential attack vector with the most convenient avenue of recovery should you lose access to your primary lockout codes.

We also provide printable lockout codes, which you may choose as your exclusive backup method. (If these printable lockout codes are used, Pobox will also send you a message informing you that one of these codes have been used to access your account.)  If you use printable codes exclusively, please do NOT store those codes on your handset; make sure they are in a secure location.


Was this article helpful?
1 out of 1 found this helpful