VOIP.MS 2FA and NIST's recent password advice

[ On October 23, I started the topic at … community.voip.ms/t/t/3436 … This new topic is related, but rather than insert this new sub-topic – NIST’s account-security info – way down that topic’s discussion, I’m creating this new topic so that the NIST document is at the top of the thread.]

In August 2025, NIST released major revised policy advice for account security for government systems. The advice is online at this link… NIST Special Publication 800-63B … The link takes you directly to section 2, Authentication Assurance Levels.

NIST’s release got much attention within the cybersecurity world, and I’d guess that the advice in it prompted VOIP.MS to re-assess account security and ultimately to institute mandatory two-factor authentication in mid-October: FACTOR 1: the account password, and FACTOR 2: the six-digit code sent via email.

If VOIP.MS’s new 2FA mandate was in fact intended to align with NIST’s recommendations, I’ll point out that the most basic Authentication Assurance Level – AAL 1 – deems a single password of at least 15 characters to be sufficient: no second factor required. These details are in the NIST document.

I’d urge VOIP.MS to consider making 2FA logins optional instead of mandatory. Account security is important everywhere, but it’s more important for banking and medical records and other crucial information reservoirs. So while security is important for telephone accounts, I’d suggest that it’s not important enough for mandatory 2FA. Instead, AAL 1 should be sufficient. (And as I mentioned in another thread, even Gmail makes 2FA optional.)

If VOIP.MS ultimately keeps mandatory 2FA, then those of us who find it a major obstacle to the management of multiple customer accounts are just out of luck, I suppose.

What do you think?

My employer requires MFA for all logins unless one is physically on our network (physically on site). Any admin work (even if on site) requires MFA. In our case the MFA is an authentication app, not text messaging.

We are planning but not yet implementing a scheme where people who have longer passwords will not be required to change their password as often as people with short passwords but have no plans to remove MFA regardless of the password length.

The current imposition of MFA by voip.ms seems to have minimal effects on the target user - a person who owns and manages their own account. As stated, the multi-factor is only required by voip.ms when logging in from a new browser (although end users may have settings that interfere with recognizing the browser as being the same on later visits).

Based on the original thread, the biggest complaint is from people who want to assist others in managing their accounts. “Turn off MFA so more than one person can share a password.” At my work, we do not allow vendors to share access passwords (anything that would give access to our network) … each PERSON needs their own passwords (and MFA).

I continue to agree with the suggestion in the original thread to allow a second login to be added to a voip.ms account - so two people can share access without sharing credentials. That would resolve the biggest objection to having MFA.

Another solution would be to allow multiple targets for the 2FA email. I’ve seen this at some financial institutions.

So I have not yet been asked for and 2FA authentication for my account. If I don’t want it, what are my choices? I am a transplant from Voipo.