New U.S. Guidelines Could Halt Use of SMS for Two-Factor Authentication

Tuesday July 26, 2016 7:14 am PDT by Mitchel Broussard
The US National Institute for Standards and Technology has released a new draft of its Digital Authentication Guideline, which sets the rules that all authentication software eventually follows. In the document, NIST deprecates the implementation of SMS as a method with which users validate a second level of security on various accounts, "no longer" allowing its use in future guidelines as it is considered not secure enough (via TechCrunch).

iOS two-factor authentication
Two-factor authentication via SMS (left) and an alternative trusted iOS device (right)

Setting up two-factor authentication through text messages is one of the most popular ways users add another layer of security onto an account, on top of a basic password, including those for Apple's own software, like Apple ID and iCloud. Other than SMS, Apple allows users to implement two-factor authentication through a simple push notification sent to another "trusted device," or a phone call.
If the out of band verification is to be made using a SMS message on a public mobile telephone network, the verifier SHALL verify that the pre-registered telephone number being used is actually associated with a mobile network and not with a VoIP (or other software-based) service. It then sends the SMS message to the pre-registered telephone number. Changing the pre-registered telephone number SHALL NOT be possible without two-factor authentication at the time of the change. OOB using SMS is deprecated, and will no longer be allowed in future releases of this guidance.
The new guidelines also make a point for companies to ensure that two-factor authentication notifications aren't going through a VoIP service, which could be easily compromised. NIST also includes "limited use" of biometrics as a way for users to gain access to their second layer of authentication, meaning Apple could pivot to Touch ID as an alternative if SMS support for the security feature officially comes to an end.

Tag: Two-Factor Authentication
[ 101 comments ]

Top Rated Comments

(View all)

Avatar
2457282
46 months ago
I thought our government was trying to weaken security so they can access our phones. Who at NIST made this mistake of proposing a verification process that was more secure? Probably fired by the end of the week. :eek::D:p:cool:
Rating: 20 Votes
Avatar
John Mcgregor
46 months ago
Apple can send an iMessage.
Rating: 10 Votes
Avatar
gwhizkids
46 months ago
But its a much better way than doing nothing at all. Personally, we need to get to a whole new paradigm of authentication, period. Deprecate the password!
Rating: 7 Votes
Avatar
Iconoclysm
46 months ago

I thought our government was trying to weaken security so they can access our phones. Who at NIST made this mistake of proposing a verification process that was more secure? Probably fired by the end of the week. :eek::D:p:cool:


If the government convinces you to use TouchID, they can force you to unlock your phone without a PIN.
Rating: 6 Votes
Avatar
bdhokie
46 months ago
While it may not be perfect, the suggestion everyone should use an app eliminates any two factor authentication for small companies /developers who may not have those resources starting out. Instead of deprecating SMS, which is better than nothing, why not recommend it as a last resort?
Rating: 5 Votes
Avatar
big-ted
46 months ago

Good.

SMS is a piss poor way of doing 2FA and lazy companies need to move towards apps such as google authenticator, authy, e.g.


You are assuming that everyone on the planet has a smart phone
Rating: 5 Votes
Avatar
MallardDuck
46 months ago
Apple's implementation does not use SMS - please correct the article. If it were SMS, it'd appear as a green text in iMessage, rather than the popup that does happen.

But more importantly, while the article rightly points out that SMS can be spoofed or intercepted, it completely ignores the question of 'is it secure enough'? For nuclear launch codes, no, agree it's not. But for securing a gmail account? It's the best option available at the moment.
Rating: 4 Votes
Avatar
MrX8503
46 months ago
There needs to be a two step authentication any time you talk to carrier customer service.

The reason why SMS two step isn't safe is because your phone number can be re routed without your knowledge. Having said that, does anyone know how to disable iMessage authentication?

Pro Tip: 1password can act as a authenticator app. No need for Google Auth app or Authy.
Rating: 4 Votes
Avatar
CFreymarc
46 months ago
There have been public-private key encryption standards for SMS messages going back twenty years. Not a single carrier has implemented in on their network. Implement that and you can use SMS messages to verify without compromise.
Rating: 4 Votes
Avatar
zonk44
46 months ago
Misleading article. The deprecation of SMS as authentication method is not about two factor authentication, but authentication in general. So single factor authentication through SMS will of course also be deprecated (Example: WhatsApp)
Rating: 3 Votes

[ Read All Comments ]