Tuesday, July 26, 2016

A lot of tech companies may be barred from using SMS for two-factor authentication


One of the options available when using Apple’s two-factor authentication (2FA) is to have a code sent to you via SMS. The US National Institute for Standards and Technology, which sets the standards for authentication software, says that text messaging is not sufficiently secure, and that its use for two-factor authentication will in future be barred.

While NIST guidelines do not have the power of law, most major companies do abide by them, suggesting that Apple is likely to drop support for SMS authentication once the recommendation is published.

  1. Apple’s current options for two-factor authentication are:
  2. a code sent to a trusted device (iPhone, iPad, iPod Touch or Mac)
  3. a phone call to a trusted phone number
  4. a code sent by SMS to a trusted phone number

The current NIST draft says only that companies must ensure that trusted phone numbers are associated with a mobile network, and not a virtual number operating via a VoIP service. This is because VoIP services could be compromised. However, a single sentence at the end of the relevant text says that ‘Out of band [verification] using SMS is deprecated, and will no longer be allowed in future releases of this guidance.’

One potential source of confusion here is that the term ‘out of band’ can be used in different ways. It refers to a physically separate channel, which in telecoms terms is sometimes used to refer to VoIP services. However, in security terms, logging-in on the web and receiving a verification code by phone would also be considered out of band. The reference here appears to be to the latter, suggesting that all use of SMS will be barred.

If you’re not already using two-factor authentication, it is highly recommended: check out our how-to guide.

No comments:

Post a Comment