VIP (Validation ID Protection)

The U.S. National Institute for Standards and Technology (NIST) released a draft of Digital Authentication Guidelines and has suggested SMS-based out-of-band two-factor authentication is no longer secure enough to prevent identity theft because users may not always be in possession of the phone or SMS messages can be intercepted and not delivered to the phone.

As stated in the draft guideline 800-63B,

”Due to the risk that SMS messages may be intercepted or redirected, implementers of new systems SHOULD carefully consider alternative authenticators.”

Before we jump into any conclusions, we should keep in mind that this guideline is only a draft version – a preview used to seek public comments and explore industry reactions. While SMS might not be the suggested method to protect access, it is still better than traditional static password or just using one-factor for authentication protection.

Symantec aligns with the NIST guideline that SMS is not the most secure solution for two-factor authentication. For customers who feel SMS does not provide enough security for authentication we provide and recommend using more secure multi-factor authentication methods based on credentials.  With these solutions, authentication channels are more secure while also providing better user experiences. We recommend the following examples, which are all included in the Symantec VIP (Validation and ID Protection) Service: 

• One-tap Push Verification that sends a DENY or APPROVE notification to your phone
• Biometric Authentication that uses fingerprint to make authentication easy
• VIP Mobile App that generates One-time password (OTP)
• Risk-based Intelligent Authentication that assess user behavior and device reputation to prevent unauthorized access
• Credential Development Kit (CDK) that allows developers to embed VIP credential into mobile application 

Symantec VIP provides strong authentication that cannot be intercepted or redirected. Our cryptographic keys are generated on dedicated FIPS 140-2 [1] compliant hardware security modules, and stored in an encrypted format. Our cloud infrastructure is operated from multiple Tier 4 data centers—the most stringent level of data center defined by ANSI/TIA-942 [2]. Symantec authentication solutions are designed for high-availability, fault-tolerance, and adherence to the strictest security processes and standards. In addition, we continue to make investments in security enhancement. With Symantec VIP, you can have peace of mind and enjoy secure authentication processes anytime, anywhere, from any devices.   

Learn more about Symantec VIP and all the benefits!

[1] Federal Information Processing Standards 


[2] American National Standards Institute/Telecommunications Industry Association