Say Goodbye to SMS Two-Factor Authentication

After years of being told by security experts that we should set up two-factor authentication for our accounts, the government agency responsible for establishing digital security guidelines announced in a draft document today that it would no longer be recommending the practice. The change in policy could have a profound impact on the way we secure our most important digital information, including how we log in to everything from our email, bank, and online video accounts.

Two-factor authentication refers to the practice of designing systems that require two separate types of authentication. That might include logging into an online account using a combination of both your password and a randomly generated security code sent to your email address or smartphone. Two-factor authentication has been widely implemented in both enterprise and consumer accounts.

Risks from SMS

The policy change comes courtesy of the National Institute of Standards and Technology (NIST), the federal agency responsible for setting official guidelines for technology standards and measurement regulations. The organization released a new draft of its Digital Authentication Guideline, in which it explained that SMS two-factor authentication would no longer be encouraged going forward.

?EU?OOB (Out of band) using SMS is deprecated, and may no longer be allowed in future releases of this guidance,?EU? the latest draft reads. The agency cited the risk of that SMS messages may be intercepted or redirected as one of the reasons behind its decision to no longer support SMS two-factor authentication.

SMS security protocols are oftentimes less secure than those for other communications modes, making it possible for a hacker to intercept the second authentication factor remotely. Some phones also display SMS messages on-screen, even in cases where the phone is locked, making it possible for an attacker with physical access to the device able to read the message.


Comments are closed.