Become a MacRumors Supporter for $25/year with no ads, private forums, and more!
  • Did you order new AirTags? We've opened a dedicated AirTags forum.

MacRumors

macrumors bot
Original poster
Apr 12, 2001
52,446
14,144



The US National Institute for Standards and Technology has released a new draft of its Digital Authentication Guideline, which sets the rules that all authentication software eventually follows. In the document, NIST deprecates the implementation of SMS as a method with which users validate a second level of security on various accounts, "no longer" allowing its use in future guidelines as it is considered not secure enough (via TechCrunch).

iOS-two-factor-authentication-800x393.jpg
Two-factor authentication via SMS (left) and an alternative trusted iOS device (right)


Setting up two-factor authentication through text messages is one of the most popular ways users add another layer of security onto an account, on top of a basic password, including those for Apple's own software, like Apple ID and iCloud. Other than SMS, Apple allows users to implement two-factor authentication through a simple push notification sent to another "trusted device," or a phone call.
If the out of band verification is to be made using a SMS message on a public mobile telephone network, the verifier SHALL verify that the pre-registered telephone number being used is actually associated with a mobile network and not with a VoIP (or other software-based) service. It then sends the SMS message to the pre-registered telephone number. Changing the pre-registered telephone number SHALL NOT be possible without two-factor authentication at the time of the change. OOB using SMS is deprecated, and will no longer be allowed in future releases of this guidance.
The new guidelines also make a point for companies to ensure that two-factor authentication notifications aren't going through a VoIP service, which could be easily compromised. NIST also includes "limited use" of biometrics as a way for users to gain access to their second layer of authentication, meaning Apple could pivot to Touch ID as an alternative if SMS support for the security feature officially comes to an end.

Article Link: New U.S. Guidelines Could Halt Use of SMS for Two-Factor Authentication
 
  • Like
Reactions: OttawaGuy

zonk44

macrumors member
Oct 15, 2013
44
37
Switzerland
Misleading article. The deprecation of SMS as authentication method is not about two factor authentication, but authentication in general. So single factor authentication through SMS will of course also be deprecated (Example: WhatsApp)
 
Comment

Iconoclysm

macrumors 68030
May 13, 2010
2,505
1,767
Washington, DC
I thought our government was trying to weaken security so they can access our phones. Who at NIST made this mistake of proposing a verification process that was more secure? Probably fired by the end of the week. :eek::D:p:cool:

If the government convinces you to use TouchID, they can force you to unlock your phone without a PIN.
 
Comment

bdhokie

macrumors member
Feb 26, 2010
53
116
USA
While it may not be perfect, the suggestion everyone should use an app eliminates any two factor authentication for small companies /developers who may not have those resources starting out. Instead of deprecating SMS, which is better than nothing, why not recommend it as a last resort?
 
Comment

ArtOfWarfare

macrumors G3
Nov 26, 2007
9,127
5,094
But its a much better way than doing nothing at all. Personally, we need to get to a whole new paradigm of authentication, period. Deprecate the password!

I agree with this, but then you hit the problem of, okay, if not passwords, then how do you authenticate?
 
  • Like
Reactions: centauratlas
Comment

ARB4

macrumors newbie
Mar 28, 2016
14
17
Richmond, VA
Apple may use SMS as an option in its Two-Step Authentication, but not in their Two-Factor Authentication.
 
Comment

Apoxie

macrumors newbie
Apr 23, 2012
9
3
This is a bad decision. It will just lead to people not doing 2FA instead. I don't want an app for each service or some physical token generator or be bound to the use of a specific brand of phone.

2FA should be easy, also across multiple services and devices. SMS spans that beautifully.

There should of course be an option to do it even more secure then SMS, but SMS should also be on the plate as a "low security" 2FA instead of doing nothing.
 
Comment

MrX8503

macrumors 68020
Sep 19, 2010
2,285
1,597
There needs to be a two step authentication any time you talk to carrier customer service.

The reason why SMS two step isn't safe is because your phone number can be re routed without your knowledge. Having said that, does anyone know how to disable iMessage authentication?

Pro Tip: 1password can act as a authenticator app. No need for Google Auth app or Authy.
 
Comment

gsmornot

macrumors 68040
Sep 29, 2014
3,337
3,087
This is a bad decision. It will just lead to people not doing 2FA instead. I don't want an app for each service or some physical token generator or be bound to the use of a specific brand of phone.

2FA should be easy, also across multiple services and devices. SMS spans that beautifully.

There should of course be an option to do it even more secure then SMS, but SMS should also be on the plate as a "low security" 2FA instead of doing nothing.
I think people that are aware of 2 factor will do the work required to learn the requirements. Most people (that I know) have no idea what 2FA is much less care if it uses SMS. If SMS is less secure then lets move on and go through the process of learning to deal with the alternative. Making everything easier has created this process where people allow themselves to be less intelligent because its hard to follow along.
 
  • Like
Reactions: SoSickSadNslOw
Comment

ARB4

macrumors newbie
Mar 28, 2016
14
17
Richmond, VA
I still dont understand the difference between those two. the names alone are confusing
Agreed. I think the former is only around because the latter really only works with iOS9 and above. Two-Factor also doesn't include offline recovery key or app-specific passwords.
 
Comment

gsmornot

macrumors 68040
Sep 29, 2014
3,337
3,087
I still dont understand the difference between those two. the names alone are confusing
The names are what make it easy to follow. One simply requires two steps to complete the entry. Do this, then this.
Two factor on the other hand is to have two somethings...something you know, something you have, or something you are. In other words, a password, your physical device and/or your biometric identity. Someone may have your password but not your device for example. With two step, if they have your SIM cloned and request the code for entry, they will receive it. This is why SMS can be an issue.
 
  • Like
Reactions: BMcCoy and ARB4
Comment

Robert.Walter

macrumors 68000
Jul 10, 2012
1,705
1,889
I still dont understand the difference between those two. the names alone are confusing

I just realized I thought I knew the difference but don't, and I read the documentation and I use them.

I guess I need to go back and study them, because at this point, I couldn't explain the difference to someone.
 
Comment

EricTheHalfBee

Suspended
Mar 10, 2013
467
739
Apple can send an iMessage.

They "could", but why bother when they can send a notification to a trusted device? To me this is far superior to SMS or using an App. People could clone a SIM and get an SMS. Going to be hard to clone an Apple Device ID to try and catch your notifications.
 
Comment

MallardDuck

macrumors 6502a
Jul 21, 2014
564
955
Apple's implementation does not use SMS - please correct the article. If it were SMS, it'd appear as a green text in iMessage, rather than the popup that does happen.

But more importantly, while the article rightly points out that SMS can be spoofed or intercepted, it completely ignores the question of 'is it secure enough'? For nuclear launch codes, no, agree it's not. But for securing a gmail account? It's the best option available at the moment.
 
Comment

John Mcgregor

Suspended
Aug 21, 2015
1,257
1,485
Newport
They "could", but why bother when they can send a notification to a trusted device? To me this is far superior to SMS or using an App. People could clone a SIM and get an SMS. Going to be hard to clone an Apple Device ID to try and catch your notifications.

But how do you setup a trusted device? To have a trusted device you first have to go through this process on that device.
 
Comment

Jst1man

macrumors newbie
Jul 26, 2016
1
0
California
NIST is a a bit over zealous. Nothing new. Remember that SMS and 2nd calls are for primary Authentication and not 2nd. This is a case of the user having to much control over their own devices. God forbid that a user choose not to put junk on their phone. It's almost like they are setting us up.
 
Comment
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.