New U.S. Guidelines Could Halt Use of SMS for Two-Factor Authentication - MacRumors
Skip to Content

New U.S. Guidelines Could Halt Use of SMS for Two-Factor Authentication

by

The US National Institute for Standards and Technology has released a new draft of its Digital Authentication Guideline, which sets the rules that all authentication software eventually follows. In the document, NIST deprecates the implementation of SMS as a method with which users validate a second level of security on various accounts, "no longer" allowing its use in future guidelines as it is considered not secure enough (via TechCrunch).

iOS two-factor authentication

Two-factor authentication via SMS (left) and an alternative trusted iOS device (right)

Setting up two-factor authentication through text messages is one of the most popular ways users add another layer of security onto an account, on top of a basic password, including those for Apple's own software, like Apple ID and iCloud. Other than SMS, Apple allows users to implement two-factor authentication through a simple push notification sent to another "trusted device," or a phone call.

If the out of band verification is to be made using a SMS message on a public mobile telephone network, the verifier SHALL verify that the pre-registered telephone number being used is actually associated with a mobile network and not with a VoIP (or other software-based) service. It then sends the SMS message to the pre-registered telephone number. Changing the pre-registered telephone number SHALL NOT be possible without two-factor authentication at the time of the change. OOB using SMS is deprecated, and will no longer be allowed in future releases of this guidance.

The new guidelines also make a point for companies to ensure that two-factor authentication notifications aren't going through a VoIP service, which could be easily compromised. NIST also includes "limited use" of biometrics as a way for users to gain access to their second layer of authentication, meaning Apple could pivot to Touch ID as an alternative if SMS support for the security feature officially comes to an end.

Tag: Two-Factor Authentication

Top Rated Comments

2
2457282
127 months ago
I thought our government was trying to weaken security so they can access our phones. Who at NIST made this mistake of proposing a verification process that was more secure? Probably fired by the end of the week. :eek::D:p:cool:
Score: 20 Votes (Like | Disagree)
John Mcgregor Avatar
John Mcgregor
127 months ago
Apple can send an iMessage.
Score: 10 Votes (Like | Disagree)
gwhizkids Avatar
gwhizkids
127 months ago
But its a much better way than doing nothing at all. Personally, we need to get to a whole new paradigm of authentication, period. Deprecate the password!
Score: 7 Votes (Like | Disagree)
Iconoclysm Avatar
Iconoclysm
127 months ago
I thought our government was trying to weaken security so they can access our phones. Who at NIST made this mistake of proposing a verification process that was more secure? Probably fired by the end of the week. :eek::D:p:cool:
If the government convinces you to use TouchID, they can force you to unlock your phone without a PIN.
Score: 6 Votes (Like | Disagree)
big-ted Avatar
big-ted
127 months ago
Good.

SMS is a piss poor way of doing 2FA and lazy companies need to move towards apps such as google authenticator, authy, e.g.
You are assuming that everyone on the planet has a smart phone
Score: 5 Votes (Like | Disagree)
B
bdhokie
127 months ago
While it may not be perfect, the suggestion everyone should use an app eliminates any two factor authentication for small companies /developers who may not have those resources starting out. Instead of deprecating SMS, which is better than nothing, why not recommend it as a last resort?
Score: 5 Votes (Like | Disagree)
Read All Comments