What seemed to be a good thing to have, SMS-based two-factor-authentication employed by Apple and other companies, is considered deprecated by the National Institute of Standards and Technology, or NIST, the US agency that sets guidelines and rules in cryptography and security matters (via Engadget, TechCrunch).
In the latest draft of its Digital Authentication Guidelines, NIST states:
If the out of band verification is to be made using a SMS message on a public mobile telephone network, the verifier SHALL verify that the pre-registered telephone number being used is actually associated with a mobile network and not with a VoIP (or other software-based) service. It then sends the SMS message to the pre-registered telephone number. Changing the pre-registered telephone number SHALL NOT be possible without two-factor authentication at the time of the change. OOB using SMS is deprecated, and will no longer be allowed in future releases of this guidance.
Two-factor authentication through text messages is a popular way for users to add another layer of security to Apple’s iCloud or Apple ID. Users who have enabled two-factor-authentication for Apple receive an SMS on a trusted device, a phone call to a trusted phone number or a code sent to a trusted device.
For now, services can continues to use SMS, as long as it isn’t via a service that virtualizes phone numbers, TechCrunch notes, as the risks with VoIP services are higher.
There doesn’t appear to be any implications for Canadians, yet, as the NIST guidelines only apply in the U.S. But it brings forth the discussion of just how vulnerable SMS-based two factor authentication can be, in the day of hackers and other security breaches.
