Latest in Gear

Image credit:

US government agency calls for the end of SMS authentication

There are other, more secure two-factor systems around.
1172 Shares
Share
Tweet
Share

Sponsored Links

The US agency that sets guidelines and rules in cryptography and security matters is discouraging the use of text messaging in two-factor authentication. In the latest draft of its Digital Authentication Guideline, the National Institute of Standards and Technology (NIST) states that "[out of band authentication] using SMS is deprecated, and will no longer be allowed in future releases of this guidance." Out of band authentication means utilising a second device to verify your identity.

NIST doesn't make clear why it's deprecating SMS two-factor, but there are a few reasons that make sense. Most phones display text messages on their lock screen, meaning a would-be attacker would be able to authenticate just by looking at your phone. There are also considerable flaws in signalling protocols that make SMS more vulnerable than other methods.

NIST's guidelines aren't legally binding, but other government agencies stick by them, and the industry at large will follow. So what's the alternative to SMS? There are plenty. The most prevalent are dedicated applications that deliver a two-factor code that refreshes every 30 seconds. Google Authenticator, Authy, Duo and other apps all essentially do the same thing with slight differences in presentation and execution. If you work for a large company, you might have used hardware that works on a similar principle, such as RSA SecurID dongles.

There are still plenty of sites and services that only offer SMS-based authentication, while others such as Facebook support both app- and SMS-based methods. And, of course, there are inexplicably some services with no protection at all. Instagram is one such outlier -- it's been slowly bringing two-factor to its userbase this year, but at the time of writing has yet to complete that roll out.

All products recommended by Engadget are selected by our editorial team, independent of our parent company. Some of our stories include affiliate links. If you buy something through one of these links, we may earn an affiliate commission.
Comment
Comments
Share
1172 Shares
Share
Tweet
Share

Popular on Engadget

Sony's self-driving 'Sociable Cart' delivers mixed-reality inside, ads outside

Sony's self-driving 'Sociable Cart' delivers mixed-reality inside, ads outside

View
Ford teams up with charging companies to form the FordPass Network

Ford teams up with charging companies to form the FordPass Network

View
Olympus' OM-D E-M5 Mark III camera is small and shoots fast

Olympus' OM-D E-M5 Mark III camera is small and shoots fast

View
Apple confirms 50 percent of iPhones have upgraded to iOS 13

Apple confirms 50 percent of iPhones have upgraded to iOS 13

View
Samsung will fix bug that lets any fingerprint unlock a Galaxy S10

Samsung will fix bug that lets any fingerprint unlock a Galaxy S10

View

From around the web

Page 1Page 1ear iconeye iconFill 23text filevr