OOB verification is the use of two separate networks to authenticate a user such as when members forget passwords and have temporary passwords texted to their phones. This method, in theory, makes fraud more difficult to commit because two disparate authentication channels need compromising for attackers to gain access.

However, in practice, NIST said, SMS is a vulnerable 2FA method, and determined criminals can exploit it. Because the possession of a person's mobile device is not required, SMS vulnerabilities can expose information through man-in-the-middle attacks or forwarded messages.

Further, criminals can attempt to substitute their own phone number for their victims' number prior to attempting access. The effectiveness of this technique depends on the organization's strict adherence to security protocols in changing account information.

For these and other reasons, fraudsters often specifically target SMS as a potential access point. Malicious software can exploit SMS functionality to send fraudulent text messages or fake incoming SMS messages for phishing, also known as SMiShing. Lynch suggested VoIP services also permit the possible interception of SMS messages.

Despite these vulnerabilities, the industry has long accepted them for lack of an alternative, Lynch pointed out, because fraud and authentication professionals have struggled to find the right replacement.

Instead of SMS, the NIST guideline recommends the use of tokens, one-time code type generators, and software cryptographic authenticators to prevent fraud. With these tokens in place, changing the pre-registered telephone number is not possible without two-factor authentication at the time of the change, blocking one potential access point from fraudsters.

Communication through dedicated apps, tied with authentication software that delivers point-to-point communication for server-to-client messages down an encrypted path makes for better protection. Lynch said this procedure, which InAuth provides, is remarkably secure. "There is no way for transmissions sent along this route to be intercepted or replayed."

InAuth provides a permanent device ID, InPermID, for mobile apps. The mobile device can then act as a trusted second factor of authentication. In the message process, InAuth sends communication from the server to the mobile app on that device. The recipient receives a push notification about a new message before receiving it. That message, encrypted end-to-send, never travels outside the rails or architecture. There is no external handoff to a third party.

Another best practice for authentication mentioned by NIST is biometrics use. InAuth's browser fingerprint recipe allows businesses to recognize any web-connected device and produce a unique identifier, InBrowserID.

"I understand where they [NIST] are coming from, they highlight vulnerabilities," Lynch said. "The challenge is to do something about it. Using that mobile device as a secure token. You certainly need to make sure you secure that mobile device itself," Lynch said.