Two-factor authentication refers to the practice of designing systems that require two separate types of authentication. That might include logging into an online account using a combination of both your password and a randomly generated security code sent to your email address or smartphone. Two-factor authentication has been widely implemented in both enterprise and consumer accounts.
Risks from SMS
The policy change comes courtesy of the National Institute of Standards and Technology (NIST), the federal agency responsible for setting official guidelines for technology standards and measurement regulations. The organization released a new draft of its Digital Authentication Guideline, in which it explained that SMS two-factor authentication would no longer be encouraged going forward.
“OOB (Out of band) using SMS is deprecated, and may no longer be allowed in future releases of this guidance,” the latest draft reads. The agency cited the risk of that SMS messages may be intercepted or redirected as one of the reasons behind its decision to no longer support SMS two-factor authentication.
SMS security protocols are oftentimes less secure than those for other communications modes, making it possible for a hacker to intercept the second authentication factor remotely. Some phones also display SMS messages on-screen, even in cases where the phone is locked, making it possible for an attacker with physical access to the device able to read the message.
Other Two-Factor Options
The guideline is still in draft form, so the change in policy may not make it to the final version. The NIST’s guidelines are also not legally binding, so services that use SMS authentication will not be required to drop them. Nonetheless, the agency’s recommendations are highly influential and most major players typically follow their lead.
The NIST also issued guidelines for how alternate forms of two-factor authentication should be implemented in the future. “Out of band verifiers shall generate a random authentication secret with at least 20 bits of entropy using an approved random number generator,” the draft guidelines read. “They then optionally signal the device containing the subscriber’s authenticator to indicate readiness to authenticate.”
The agency also approved of the use of secure applications, known as an authenticated protected channel, as a way to replace SMS authentication. For example, a mobile banking app could receive a second-authentication factor, with the user receiving a push notification alerting them to check the app, so long as the push notification does not contain the actual second factor.
Image credit: iStock/Artist’s concept.
