Advertisement

SMS two-factor authentication isn't being banned

This week's column has been brought to you by fact-checking.

Illustration by D. Thomas Magee

Another week gone by, and the place is in cybersecurity shambles again. A years' old hacking issue, unencrypted wireless keyboards, being featured in an upcoming Defcon talk mystifyingly became a hot new Internet of Things threat. Obama gave us a colorful "threat level" cyber-thermometer that no one's really sure what to do with. Ransomware is hitting hospitals like there's a fire sale on money. And the DNC-Wikileaks email debacle exploded, splattering blame all over Russia.

Just when I thought I'd picked the wrong week to stop sniffing glue, a U.S. National Institute for Standards and Technology (NIST) report came out that included recommendations about the inherent risks in two-factor authentication, upon which the tech press basically lost their minds and told everyone to assume crash positions because the password sky was falling. Again.

What actually happened was, the NIST released the newest draft version of its Digital Authentication Guidelines. In its public preview, the agency included language that hinted at the depreciation of SMS-based Two-Factor Authentication (2FA) because, basically, phone numbers can be hijacked, and SMS can be intercepted -- making the NIST impetus sensible for government employees or those dealing with sensitive medical information or state-level secrets.

But for normal people, 2FA is still going to limit the ability of an attacker to intercept or alter both your password and your SMS code. (Which is, incidentally, the point.)

Using a text message-based code is what would have prevented what happened to tech journalist and editor Mat Honan. In August 2012, a malicious hacker logged into just one of his online accounts and reset the password.

Then the attacker went to town resetting and taking over the rest of Honan's accounts, remotely erasing (forever) everything on his iPhone, iPad and MacBook, including photos of deceased in-laws and the first year of his daughter's life. That attacker also deleted Honan's Google account and took over his Twitter account to post a bunch of racist and homophobic tweets under his name.

With two-factor activated, Honan would've gotten an SMS alerting him that someone was logging into his account. In fact, the only reason he realized something was wrong was because his iPhone prompted him for a reset code.

But neither the practical use cases for 2FA nor the emphasis on a draft recommending depreciation were what came out in this week's mainstream news. Hardly anyone seemed to mention that NIST's guidelines aren't legally binding (we did!), though government agencies often follow them.

Defense Daily pointed out the obvious thing that everyone missed -- this is a work in progress, directed at government. It said, "This new NIST draft was released as a public preview wherein it is considered a stable draft illustrating what the agency has learned through public comment periods, public workshops, and industry collaborations." However, it is "neither complete nor perfect-and it's not intended to be." They added, "This is the point where the agency is articulating the direction it is going but seeks comments from stakeholders on what is right, wrong, and entirely missed in the guidelines."

Headlines cried out that the freewheeling halcyon days of 2FA were soon to be forbidden fruit. CNET claimed, "SMS-based two-factor authentication will soon be banned." Dabbing away tears, we were told, the age of 2FA is over and we should "Say Goodbye to SMS Two-Factor Authentication."

Suddenly, news outlets and tech blogs were telling us, bizarrely, that Apple was under attack by NIST. Apple wasn't actually targeted in the NIST document, but headlines proclaimed "U.S. to ban Apple and others from SMS two-step authentication." Here at Engadget we came this close to making a video, our mascara running as we sobbed into the camera begging NIST to leave Apple alone!

Ultimately, the anti-2FA mob mentality out-crazied our craziness. We were simply outdone when people started telling the public that SMS authentication was now deemed "no longer safe."

The punchline? No, I think we've been punched enough, thanks.

Still, there's always room for a little insult added to injury. While CNET was telling readers that 2FA was decreed dangerous and about to be banned, government publications bothered with the details and got to the truth.

The coming two-factor apocalypse was only really coming for government agencies, and the recommendation to depreciate SMS would be for new implementations on the road ahead. "The SP-800-63 document set provides technical and procedural guidelines to agencies," Defense Daily wrote. "The recommendation includes remote authentication of users (employees, contractors, or private individuals) interacting with government information technology (IT) systems over open networks."

The public may be none the wiser after this week. If they're reading Apple Insider or Sci Tech as gospel, the logical next step would appear to be quitting two-factor altogether. Or, just setting fire to your laptop and throwing it out the window.

Either way, it's a bad message to send. As many people as possible should be adding this second step to logging in because they are not edge cases, and 2FA is actually making the general public safer.

The real problem here is, as usual, people freaking out about security issues that require more than a "hot take." It's a phase in our collective infosec adolescence I worry we'll never grow out of.