Two-factor authentication (2FA) via SMS and a smartphone provides a heavy dose of additional security for your data, but as the US government declared last year, it's not without its flaws. To fix that, the big four US mobile operators, Sprint, T-Mobile, Verizon and AT&T have formed a coalition called the Mobile Authentication Taskforce to come up with a new system. Working with app developers and others, they'll explore the use of SIM card recognition, network-based authentication, geo-location, and other carrier-specific capabilities.
The idea is to marry current 2FA with systems that "reduce mobile identity risks by analyzing data and activity patterns on a mobile network to predict, with a high degree of certainty, whether the user is who they say they are," according to the news release.
The problem with SMS authentication is that skilled hackers have successfully hijacked SMS codes in the past, often simply by contacting the carrier and impersonating the victim. It also falls apart if thieves grab your smartphone along with your PC, gain access to your phone via malware, or just steal a glance at a 2FA message on your lockscreen.
Through strong collaboration, the taskforce announced today has the potential to create impactful benefits for US customers by helping to decrease fraud and identity theft, and increase trust in online transactions.
The system will be an open one that can work the four carriers and others. "We will be working closely with the taskforce to ensure this solution is aligned and interoperable with solutions deployed by operators," said Alex Sinclair, CTO of mobile industry group GSMA.
The goal to improve 2FA security sounds like a noble one, but Congress, at the urging of carriers and ISPs, recently eliminated certain customer privacy protection rules. As such, consumer protection groups might have concerns about 2FA systems that could be used by operators to track customers, for example.
The new system is supposed to arrive for "enterprises and customers in 2018," the group says. In the meantime, if you're still not using two-factor authentication (SMS or otherwise), you really, really should be.