Latest in Gear

Image credit:

US government agency calls for the end of SMS authentication

There are other, more secure two-factor systems around.
1172 Shares
Share
Tweet
Share
Save

Sponsored Links

The US agency that sets guidelines and rules in cryptography and security matters is discouraging the use of text messaging in two-factor authentication. In the latest draft of its Digital Authentication Guideline, the National Institute of Standards and Technology (NIST) states that "[out of band authentication] using SMS is deprecated, and will no longer be allowed in future releases of this guidance." Out of band authentication means utilising a second device to verify your identity.

NIST doesn't make clear why it's deprecating SMS two-factor, but there are a few reasons that make sense. Most phones display text messages on their lock screen, meaning a would-be attacker would be able to authenticate just by looking at your phone. There are also considerable flaws in signalling protocols that make SMS more vulnerable than other methods.

NIST's guidelines aren't legally binding, but other government agencies stick by them, and the industry at large will follow. So what's the alternative to SMS? There are plenty. The most prevalent are dedicated applications that deliver a two-factor code that refreshes every 30 seconds. Google Authenticator, Authy, Duo and other apps all essentially do the same thing with slight differences in presentation and execution. If you work for a large company, you might have used hardware that works on a similar principle, such as RSA SecurID dongles.

There are still plenty of sites and services that only offer SMS-based authentication, while others such as Facebook support both app- and SMS-based methods. And, of course, there are inexplicably some services with no protection at all. Instagram is one such outlier -- it's been slowly bringing two-factor to its userbase this year, but at the time of writing has yet to complete that roll out.

All products recommended by Engadget are selected by our editorial team, independent of our parent company. Some of our stories include affiliate links. If you buy something through one of these links, we may earn an affiliate commission.
Comment
Comments
Share
1172 Shares
Share
Tweet
Share
Save

Popular on Engadget

Runkeeper drops its Wear OS app due to a 'buggy experience'

Runkeeper drops its Wear OS app due to a 'buggy experience'

View
Drako's GTE electric supercar will be a four-motor, 1,200HP monster

Drako's GTE electric supercar will be a four-motor, 1,200HP monster

View
Nintendo says there is no Switch exchange program

Nintendo says there is no Switch exchange program

View
IKEA creates a business unit devoted to smart home tech

IKEA creates a business unit devoted to smart home tech

View
US will reportedly give Huawei another temporary reprieve

US will reportedly give Huawei another temporary reprieve

View

From around the web

Page 1Page 1ear iconeye iconFill 23text filevr