Apple May Soon Have to Abandon SMS Two-Factor Authentication in USA

Apple id two factor verification hero

What seemed to be a good thing to have, SMS-based two-factor-authentication employed by Apple and other companies, is considered deprecated by the National Institute of Standards and Technology, or NIST, the US agency that sets guidelines and rules in cryptography and security matters (via Engadget, TechCrunch).

In the latest draft of its Digital Authentication Guidelines, NIST states:

If the out of band verification is to be made using a SMS message on a public mobile telephone network, the verifier SHALL verify that the pre-registered telephone number being used is actually associated with a mobile network and not with a VoIP (or other software-based) service. It then sends the SMS message to the pre-registered telephone number. Changing the pre-registered telephone number SHALL NOT be possible without two-factor authentication at the time of the change. OOB using SMS is deprecated, and will no longer be allowed in future releases of this guidance.

Two-factor authentication through text messages is a popular way for users to add another layer of security to Apple’s iCloud or Apple ID. Users who have enabled two-factor-authentication for Apple receive an SMS on a trusted device, a phone call to a trusted phone number or a code sent to a trusted device.

For now, services can continues to use SMS, as long as it isn’t via a service that virtualizes phone numbers, TechCrunch notes, as the risks with VoIP services are higher.

There doesn’t appear to be any implications for Canadians, yet, as the NIST guidelines only apply in the U.S. But it brings forth the discussion of just how vulnerable SMS-based two factor authentication can be, in the day of hackers and other security breaches.

Technology enthusiast, rocker, biker and writer of iPhoneinCanada.ca. Follow me on Twitter or contact me via email: istvan@iphoneincanada.ca

  • Apple has no obligation or significant motivation to follow the NIST *guidelines*. They will use SMS two-factor as long as they feel like it and as long as, in their discerning opinion, it is sufficiently secure.

  • Sterling Archer

    A popular YouTube, Ethan from h3h3 productions recently shed light on how unsafe 2 factor is with the current cell system.

    If someone clones your SIM, you’re done. And that’s sadly not harder to do.

    Unless they can fix that I don’t expect apple will embrace an openly confirmed insecure method after what happened with iCloud gate