Dear Visitor,

Our system has found that you are using an ad-blocking browser add-on.

We just wanted to let you know that our site content is, of course, available to you absolutely free of charge.

Our ads are the only way we have to be able to bring you the latest high-quality content, which is written by professional journalists, with the help of editors, graphic designers, and our site production and I.T. staff, as well as many other talented people who work around the clock for this site.

So, we ask you to add this site to your Ad Blocker’s "white list" or to simply disable your Ad Blocker while visiting this site.

Continue on this site freely
You are here: Home / Network Security / Say Goodbye to SMS Authentication
Say Goodbye to SMS Two-Factor Authentication
Say Goodbye to SMS Two-Factor Authentication
By Jef Cozza / CRM Daily Like this on Facebook Tweet this Link thison Linkedin Link this on Google Plus
After years of being told by security experts that we should set up two-factor authentication for our accounts, the government agency responsible for establishing digital security guidelines announced in a draft document today that it would no longer be recommending the practice. The change in policy could have a profound impact on the way we secure our most important digital information, including how we log in to everything from our email, bank, and online video accounts.

Two-factor authentication refers to the practice of designing systems that require two separate types of authentication. That might include logging into an online account using a combination of both your password and a randomly generated security code sent to your email address or smartphone. Two-factor authentication has been widely implemented in both enterprise and consumer accounts.

Risks from SMS

The policy change comes courtesy of the National Institute of Standards and Technology (NIST), the federal agency responsible for setting official guidelines for technology standards and measurement regulations. The organization released a new draft of its Digital Authentication Guideline, in which it explained that SMS two-factor authentication would no longer be encouraged going forward.

“OOB (Out of band) using SMS is deprecated, and may no longer be allowed in future releases of this guidance,” the latest draft reads. The agency cited the risk of that SMS messages may be intercepted or redirected as one of the reasons behind its decision to no longer support SMS two-factor authentication.

SMS security protocols are oftentimes less secure than those for other communications modes, making it possible for a hacker to intercept the second authentication factor remotely. Some phones also display SMS messages on-screen, even in cases where the phone is locked, making it possible for an attacker with physical access to the device able to read the message.

Other Two-Factor Options

The guideline is still in draft form, so the change in policy may not make it to the final version. The NIST’s guidelines are also not legally binding, so services that use SMS authentication will not be required to drop them. Nonetheless, the agency’s recommendations are highly influential and most major players typically follow their lead.

The NIST also issued guidelines for how alternate forms of two-factor authentication should be implemented in the future. “Out of band verifiers shall generate a random authentication secret with at least 20 bits of entropy using an approved random number generator,” the draft guidelines read. “They then optionally signal the device containing the subscriber’s authenticator to indicate readiness to authenticate.”

The agency also approved of the use of secure applications, known as an authenticated protected channel, as a way to replace SMS authentication. For example, a mobile banking app could receive a second-authentication factor, with the user receiving a push notification alerting them to check the app, so long as the push notification does not contain the actual second factor.

Image credit: iStock.

Read more on: Security, SMS, Enterprise, Smartphone
Tell Us What You Think


Kirk B.:
Posted: 2016-07-30 @ 10:22am PT
Government moves slooooowwwwwly. From the May, 2016 Congressional testimony by Acting Commissioner Colvin (SSA) - "In the future, we expect to offer additional multi-factor options, pursuant to Federal guidelines." Now that the guidelines are being updated, the hope is that these additional options happen soon...

Ben Jones:
Posted: 2016-07-28 @ 11:09am PT
Then why did I receive an email from the Social Security Administration today saying that they are starting a mandatory two-factor authentication process using SMS?

Like Us on FacebookFollow Us on Twitter
© Copyright 2018 NewsFactor Network. All rights reserved. Member of Accuserve Ad Network.