SMS-based two-factor authentication may soon be deemed unsafe
The rise of high-profile hacking of Internet services, like the iCloudgate of recent memory, has put an emphasis on stronger security measures, like, for example, two-factor or two-step authentication. It seems, however, that not all two-factor systems are considered equal. A draft of an upcoming Digital Authentication Guideline to be published by the US National Institute for Standards and Technology or NIST may very well declare two-factor authentication that uses SMS as the second factor to be inherently insecure and, therefore, obsolete.
The concept behind two-factor authentication is that it combines something that a user knows (first factor) and something that a user has or always possesses (second factor) to securely validate a login or access attempt. In almost all cases, the first factor is a password or PIN number. The second factor involves a random set of digits or combination letters and numbers that is sent via different means, like through an authenticator app or SMS.
The problem, according to the NIST guideline, is that SMS is now considered to be a very fragile channel. For one, if the smartphone associated with the two-factor authentication is stolen, then sending via SMS defeats the purpose of securing the account. Also, SMS can be easily spoofed, intercepted, and redirected, which gives hackers and third parties access to that secret code.
And so the NIST is declaring using SMS for two-factor authentication as obsolete and might no longer even be allowed in future versions of its guidelines. Considering the Digital Authentication Guideline is something that almost all tech companies in the US follow, like Google or Apple, that will most likely be taken as law when that time comes.
The NIST recommends using a secure authentication app or biometrics, mostly fingerprint, as better means of using two-factor authentication. That said, SMS remains to be the most convenient and most widespread method, as not everyone owns a smartphone with fingerprint sensors, so it remains to be seen whether end users will be willing to make the extra effort to secure their digital accounts or drop two-factor authentication entirely instead.
SOURCE: US NIST
VIA: CNET