TechSpot

SMS-based two-factor authentication is being phased out

By Jos
Jul 26, 2016
Post New Reply
  1. Two-factor authentication adds an extra layer of security to your logins by asking for a verification code after you sign in with your credentials. But not every method for retrieving this verification code is secure in itself. To that end the National Institute for Standards and Technology, the US agency that sets guidelines and rules in cryptography and security matters, has proposed to deprecate SMS-based and will no longer allow it in future guidelines.

    The current draft mentions a few reasons why NIST considers text messaging is not sufficiently secure anymore. One of the reasons says that as VoIP communication services have proliferated it’s become harder to assess whether an SMS message is truly being sent over the cell network and not a service that virtualizes phone numbers.

    There’s also the concern that hackers find more and more ways to remotely access, intercept or redirect SMS texts. As a result out of band verification using SMS is deprecated, and will no longer be allowed in future releases of their guidance.

    The alternative is to use a dedicated 2FA app like Google Authenticator or RSA SecurID that can generate out of band authentication codes, or a dedicated device such as security keys, smart cards, and so on. NIST also mentions "limited use" of biometrics as a way for users to gain access to their second layer of authentication.

    Permalink to story.

     
  2. kbongcawel

    kbongcawel TS Rookie

    I have been thinking about this lately.
     
  3. Kibaruk

    Kibaruk TechSpot Paladin Posts: 2,511   +503

    This is great news, would rather the 2 step authentication being forced on more companies that provide services instead of phasing it out but well, it's not bad.

    About what? Standardizing 2 step authentication by phasing out sms verification?
     
  4. robb213

    robb213 TS Addict Posts: 315   +93

    Yahoo still uses SMS for authentication, and I've had my doubts on its confidentiality/integrity.

    So far, true random OTP tokens remains as secure as can be. The next big thing will be single sign-on (or SSO). So hopefully by NIST declaring it as deprecated, companies will finally offer a 2FA OTP token option if they don't already.
     

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...