SMS-based two-factor authentication is a pretty handy tool when trying to verify a user’s identity. The US National Institute for Standards and Technology, which sets the standards for authentication software, says that text messaging is not sufficiently secure, and that its use for two-factor authentication will in future be barred …
Advertisement
As Engadget notes, NIST guidelines aren’t binding.
Those interested in reading the full (and lengthy) Digital Authentication Guideline can check it out here. Or, if the individual uses a voice-over internet protocol service – which provides phone service through a broadband internet connection- hackers can hijack the SMS message. It then sends the SMS message to the pre-registered telephone number.
However it seems that SMS-based two-factor authentication systems could soon be banned. However, a single sentence at the end of the relevant text says that ‘Out of band [verification] using SMS is deprecated, and will no longer be allowed in future releases of this guidance’.
Basically, SMS-based two-factor authentication is an insecure process because the phone may not always be in possession of the phone. In other words, with SMS-based authentication, you can’t guarantee that the intended recipient actually has the physical device.
Advertisement
While the guideline recommends that apps use tokens and software cryptographic authenticators, these may also take the form of phone apps or devices that can be stolen or “temporarily borrowed” as well, just like phones. But not every method for retrieving this verification code is secure in itself. The change in policy could have a profound impact on the way we secure our most important digital information, including how we log in to everything from our email, bank, and online video accounts.
