US Carriers Want To Handle Your Two-Factor Authentication
Two-factor authentication or 2FA is definitely a lot better than a naked password, but not all 2FA methods are created equal. SMS, which is actually the default many 2FA systems use, has been criticized for being more of a liability than a security option. Now the four major US carriers, often viciously competing with other, are now working together to develop a 2FA platform that will rely on your phone, phone number, and other factors, so that you will rely on them rather than third-party apps for your 2FA needs.
2FA works by requiring a second authentication code or PIN to really verify the user's identity. But it can only work effectively if that second factor is sent through reliable channels. SMS is probably the most convenient among phone-based 2FAs but it is also the weakest link. Phone numbers can be easily spoofed and stolen, and the rest will come crumbling down.
The Mobile Authentication Taskforce, made up of AT&T, Sprint, T-Mobile, and Verizon, was formed to develop a new 2FA platform that resolves that problem. Instead of simply relying on a phone number, this "next-generation mobile authentication platform" will use a variety of unique attributes, including a network-verified phone number, IP address, SIM card, phone number account, etc. The more factors you include, the more unique it becomes and the harder it gets to fool.
All good right? Some might, however, wonder if there's anything else involved. After all, there are already better 2FA methods, most of which rely on authentication apps like Google Authenticator, Authy, and more. These apps have the added benefit of not being tied to a phone or even a phone number. They also bypass carriers in effect.
It's still on paper now, however. And it will only be in the coming weeks before the taskforce actually starts internal testing. That said, they plan to make the whole thing available before 2018 is over.