SMS may be depreciated for two-factor authentication

July 26th 2016

National Institute of Standards and Technology in the U.S. Department of Commerce issues non-regulatory guidance on various things as a means to standardize commercial activity. The agency has issued a preview of its Digital Authentication Guidelines and is seeking comment. One interesting bit relates to using SMS messages for two-factor authentication (2FA). The proposal looks to depreciate this method for security issues.

Alternative means could use Google Authenticator, Authy or application push notifications used on iOS, for example.

Via TechCrunch:

If the out of band verification is to be made using a SMS message on a public mobile telephone network, the verifier SHALL verify that the pre-registered telephone number being used is actually associated with a mobile network and not with a VoIP (or other software-based) service. It then sends the SMS message to the pre-registered telephone number. Changing the pre-registered telephone number SHALL NOT be possible without two-factor authentication at the time of the change. OOB using SMS is deprecated, and will no longer be allowed in future releases of this guidance.

This is interesting because SMS is far from infallible, but it seems still better than nothing. The convenience of SMS probably promotes 2FA where otherwise people probably wouldn't bother.

SMS may be depreciated for two-factor authentication

Recent Articles

Browse and search for more articles


Home	About	Advertising	Search
Copyright 1995-2024 Insanely Great Mac. All rights reserved. Privacy Statment \| Terms of Service \| Editorial Policy