Time Is Running Out For This Popular Online Security Technique

July 26, 2016, 3:49 PM UTC
Social Media Life
Social media. Female hands holding mobile phone with Facebook log in page loaded on screen, whilst sat at office desk late at night. Space for copy.
Lewis Mulatero — Getty Images

So-called two-factor authentication is a must these days when logging into online accounts. Passwords aren’t enough—it’s much safer to also have to enter proof that you are in possession of a certain device that belongs to you, such as your smartphone.

The proof generally takes the form of a one-time code, generated or received by your phone or some other device, like a special security dongle. However, as Fortune noted last month, it’s not so safe to have that code sent to you via text message, as services such as Facebook (FB) and Twitter (TWTR) still do.

For that reason, the U.S. National Institute of Standards and Technology (NIST) is now poised to ban the use of SMS-based two-factor authentication codes for services that plug into government IT systems.

Get Data Sheet, Fortune’s technology newsletter.

In short, NIST wants people to use other, safer means for generating these codes—such as apps like Google (GOOG) Authenticator, or special USB dongles.

The institute signalled the shift in new draft guidelines, now open for consultation, that will tell the programmers of online services how to best implement state-of-the-art security.

Two-factor authentication using SMS is being phased out, or “deprecated” in industry jargon—it’s acceptable for now, but “will no longer be allowed in future releases of this guidance.”

Many banks and other operators of online services still send two-factor authentication codes to their customers via SMS. However, experts have known for years that there are vulnerabilities in the system.

For more on cybersecurity, watch:

People can call up your phone company pretending to be you, then convince the support desk there to redirect your messages to a different SIM card. Hackers can exploit flaws in the ancient SS7 protocol that underpins SMS, in order to fool the phone network into thinking their device is your phone.

If your adversary is particularly well-resourced, they may even have an IMSI-catcher—a device that appears to your phone as the normal phone network— in order to intercept your messages.

“Due to the risk that SMS messages may be intercepted or redirected, implementers of new systems should carefully consider alternative authenticators,” NIST’s draft reads. No kidding.