New U.S. Guidelines Could Halt Use of SMS for Two-Factor Authentication

Discussion in 'MacRumors.com News Discussion' started by MacRumors, Jul 26, 2016.

  1. MacRumors macrumors bot

    MacRumors

    Joined:
    Apr 12, 2001
    #1
    [​IMG]


    The US National Institute for Standards and Technology has released a new draft of its Digital Authentication Guideline, which sets the rules that all authentication software eventually follows. In the document, NIST deprecates the implementation of SMS as a method with which users validate a second level of security on various accounts, "no longer" allowing its use in future guidelines as it is considered not secure enough (via TechCrunch).

    [​IMG]
    Two-factor authentication via SMS (left) and an alternative trusted iOS device (right)


    Setting up two-factor authentication through text messages is one of the most popular ways users add another layer of security onto an account, on top of a basic password, including those for Apple's own software, like Apple ID and iCloud. Other than SMS, Apple allows users to implement two-factor authentication through a simple push notification sent to another "trusted device," or a phone call.
    The new guidelines also make a point for companies to ensure that two-factor authentication notifications aren't going through a VoIP service, which could be easily compromised. NIST also includes "limited use" of biometrics as a way for users to gain access to their second layer of authentication, meaning Apple could pivot to Touch ID as an alternative if SMS support for the security feature officially comes to an end.

    Article Link: New U.S. Guidelines Could Halt Use of SMS for Two-Factor Authentication
     
  2. macsrcool1234 macrumors 65816

    Joined:
    Oct 7, 2010
    #2
    Good.

    SMS is a piss poor way of doing 2FA and lazy companies need to move towards apps such as google authenticator, authy, e.g.
     
  3. 2457282 Suspended

    Joined:
    Dec 6, 2012
    #3
    I thought our government was trying to weaken security so they can access our phones. Who at NIST made this mistake of proposing a verification process that was more secure? Probably fired by the end of the week. :eek::D:p:cool:
     
  4. 73b macrumors regular

    73b

    Joined:
    Aug 22, 2014
    Location:
    East Coast
    #4
    Touch ID is already so easy and secure, people should just use that.
     
  5. gwhizkids macrumors 68040

    gwhizkids

    Joined:
    Jun 21, 2013
    #5
    But its a much better way than doing nothing at all. Personally, we need to get to a whole new paradigm of authentication, period. Deprecate the password!
     
  6. John Mcgregor Suspended

    John Mcgregor

    Joined:
    Aug 21, 2015
    Location:
    Newport
  7. zonk44 macrumors member

    zonk44

    Joined:
    Oct 15, 2013
    Location:
    Switzerland
    #7
    Misleading article. The deprecation of SMS as authentication method is not about two factor authentication, but authentication in general. So single factor authentication through SMS will of course also be deprecated (Example: WhatsApp)
     
  8. Iconoclysm macrumors 68020

    Iconoclysm

    Joined:
    May 13, 2010
    Location:
    Washington, DC
    #8
    If the government convinces you to use TouchID, they can force you to unlock your phone without a PIN.
     
  9. bdhokie macrumors member

    Joined:
    Feb 26, 2010
    Location:
    USA
    #9
    While it may not be perfect, the suggestion everyone should use an app eliminates any two factor authentication for small companies /developers who may not have those resources starting out. Instead of deprecating SMS, which is better than nothing, why not recommend it as a last resort?
     
  10. ArtOfWarfare macrumors G3

    ArtOfWarfare

    Joined:
    Nov 26, 2007
    #10
    I agree with this, but then you hit the problem of, okay, if not passwords, then how do you authenticate?
     
  11. big-ted macrumors regular

    big-ted

    Joined:
    Feb 24, 2013
    Location:
    UK
    #11
    You are assuming that everyone on the planet has a smart phone
     
  12. ARB4 macrumors newbie

    ARB4

    Joined:
    Mar 28, 2016
    Location:
    Richmond, VA
    #12
    Apple may use SMS as an option in its Two-Step Authentication, but not in their Two-Factor Authentication.
     
  13. Apoxie macrumors newbie

    Joined:
    Apr 23, 2012
    #13
    This is a bad decision. It will just lead to people not doing 2FA instead. I don't want an app for each service or some physical token generator or be bound to the use of a specific brand of phone.

    2FA should be easy, also across multiple services and devices. SMS spans that beautifully.

    There should of course be an option to do it even more secure then SMS, but SMS should also be on the plate as a "low security" 2FA instead of doing nothing.
     
  14. MrX8503 macrumors 68020

    Joined:
    Sep 19, 2010
    #14
    There needs to be a two step authentication any time you talk to carrier customer service.

    The reason why SMS two step isn't safe is because your phone number can be re routed without your knowledge. Having said that, does anyone know how to disable iMessage authentication?

    Pro Tip: 1password can act as a authenticator app. No need for Google Auth app or Authy.
     
  15. bushido Suspended

    bushido

    Joined:
    Mar 26, 2008
    Location:
    Germany
    #15
    I still dont understand the difference between those two. the names alone are confusing
     
  16. gsmornot macrumors 68030

    gsmornot

    Joined:
    Sep 29, 2014
    #16
    I think people that are aware of 2 factor will do the work required to learn the requirements. Most people (that I know) have no idea what 2FA is much less care if it uses SMS. If SMS is less secure then lets move on and go through the process of learning to deal with the alternative. Making everything easier has created this process where people allow themselves to be less intelligent because its hard to follow along.
     
  17. ARB4 macrumors newbie

    ARB4

    Joined:
    Mar 28, 2016
    Location:
    Richmond, VA
    #17
    Agreed. I think the former is only around because the latter really only works with iOS9 and above. Two-Factor also doesn't include offline recovery key or app-specific passwords.
     
  18. gsmornot macrumors 68030

    gsmornot

    Joined:
    Sep 29, 2014
    #18
    The names are what make it easy to follow. One simply requires two steps to complete the entry. Do this, then this.
    Two factor on the other hand is to have two somethings...something you know, something you have, or something you are. In other words, a password, your physical device and/or your biometric identity. Someone may have your password but not your device for example. With two step, if they have your SIM cloned and request the code for entry, they will receive it. This is why SMS can be an issue.
     
  19. Robert.Walter macrumors 65816

    Joined:
    Jul 10, 2012
    #19
    I just realized I thought I knew the difference but don't, and I read the documentation and I use them.

    I guess I need to go back and study them, because at this point, I couldn't explain the difference to someone.
     
  20. attila macrumors 6502a

    attila

    Joined:
    Oct 11, 2003
    Location:
    It sure is great to get out of that bag.
    #20
    But how do I use touchID to authenticate a webpage on my laptop?
     
  21. CFreymarc Suspended

    Joined:
    Sep 4, 2009
    #21
    There have been public-private key encryption standards for SMS messages going back twenty years. Not a single carrier has implemented in on their network. Implement that and you can use SMS messages to verify without compromise.
     
  22. EricTheHalfBee Suspended

    Joined:
    Mar 10, 2013
    #22
    They "could", but why bother when they can send a notification to a trusted device? To me this is far superior to SMS or using an App. People could clone a SIM and get an SMS. Going to be hard to clone an Apple Device ID to try and catch your notifications.
     
  23. MallardDuck macrumors 6502

    Joined:
    Jul 21, 2014
    #23
    Apple's implementation does not use SMS - please correct the article. If it were SMS, it'd appear as a green text in iMessage, rather than the popup that does happen.

    But more importantly, while the article rightly points out that SMS can be spoofed or intercepted, it completely ignores the question of 'is it secure enough'? For nuclear launch codes, no, agree it's not. But for securing a gmail account? It's the best option available at the moment.
     
  24. John Mcgregor Suspended

    John Mcgregor

    Joined:
    Aug 21, 2015
    Location:
    Newport
    #24
    But how do you setup a trusted device? To have a trusted device you first have to go through this process on that device.
     
  25. Jst1man macrumors newbie

    Jst1man

    Joined:
    Jul 26, 2016
    Location:
    California
    #25
    NIST is a a bit over zealous. Nothing new. Remember that SMS and 2nd calls are for primary Authentication and not 2nd. This is a case of the user having to much control over their own devices. God forbid that a user choose not to put junk on their phone. It's almost like they are setting us up.
     

Share This Page