What seemed to be a good thing to have, SMS-based two-factor-authentication employed by Apple and other companies, is considered deprecated by the National Institute of Standards and Technology, or NIST, the US agency that sets guidelines and rules in cryptography and security matters (via Engadget, TechCrunch).
In the latest draft of its Digital Authentication Guidelines, NIST states:
If the out of band verification is to be made using a SMS message on a public mobile telephone network, the verifier SHALL verify that the pre-registered telephone number being used is actually associated with a mobile network and not with a VoIP (or other software-based) service. It then sends the SMS message to the pre-registered telephone number. Changing the pre-registered telephone number SHALL NOT be possible without two-factor authentication at the time of the change. OOB using SMS is deprecated, and will no longer be allowed in future releases of this guidance.
Two-factor authentication through text messages is a popular way for users to add another layer of security to Apple’s iCloud or Apple ID. Users who have enabled two-factor-authentication for Apple receive an SMS on a trusted device, a phone call to a trusted phone number or a code sent to a trusted device.
For now, services can continues to use SMS, as long as it isn’t via a service that virtualizes phone numbers, TechCrunch notes, as the risks with VoIP services are higher.
There doesn’t appear to be any implications for Canadians, yet, as the NIST guidelines only apply in the U.S. But it brings forth the discussion of just how vulnerable SMS-based two factor authentication can be, in the day of hackers and other security breaches.
Want to see more of our stories on Google?
P.S. Want to keep this site truly independent? Support us by buying us a beer, treating us to a coffee, or shopping through Amazon here. Links in this post are affiliate links, so we earn a tiny commission at no charge to you. Thanks for supporting independent Canadian media!
Apple has no obligation or significant motivation to follow the NIST *guidelines*. They will use SMS two-factor as long as they feel like it and as long as, in their discerning opinion, it is sufficiently secure.
A popular YouTube, Ethan from h3h3 productions recently shed light on how unsafe 2 factor is with the current cell system.
If someone clones your SIM, you’re done. And that’s sadly not harder to do.
Unless they can fix that I don’t expect apple will embrace an openly confirmed insecure method after what happened with iCloud gate