Slashdot Mirror

← Back to Stories (view on slashdot.org)

NIST Prepares To Ban SMS-Based Two-Factor Authentication (softpedia.com)

Posted by BeauHD on from the security-risks dept.

An anonymous reader writes: "The U.S. National Institute for Standards and Technology (NIST) has released the latest draft version of the Digital Authentication Guideline that contains language hinting at a future ban of SMS-based Two-Factor Authentication (2FA)," reports Softpedia. The NIST DAG draft argues that SMS-based two-factor authentication is an insecure process because the phone may not always be in possession of the phone number, and because in the case of VoIP connections, SMS messages may be intercepted and not delivered to the phone. The guideline recommends the usage of tokens and software cryptographic authenticators instead. Even biometrics authentication is considered safe, under one condition: "Biometrics SHALL be used with another authentication factor (something you know or something you have)," the guideline's draft reads. The NIST DAG draft reads in part: "If the out of band verification is to be made using a SMS message on a public mobile telephone network, the verifier SHALL verify that the pre-registered telephone number being used is actually associated with a mobile network and not with a VoIP (or other software-based) service. It then sends the SMS message to the pre-registered telephone number. Changing the pre-registered telephone number SHALL NOT be possible without two-factor authentication at the time of the change. OOB using SMS is deprecated, and will no longer be allowed in future releases of this guidance."

2 of 150 comments (clear)

  1. Re:Typo by v1 · · Score: 1, Informative

    the editors don't read what the editors don't read.

    --
    I work for the Department of Redundancy Department.
  2. Re:the phone may not always be in possession phone by goose-incarnated · · Score: 4, Informative

    Hasn't it been shown that you can take a fingerprint left by someone (say, on their phone) and use it to fool a fingerprint scanner?

    It has been shown that this works for old, cheap or crappy fingerprint readers. Modern, state-of-the-art scanners can check for a pulse, or use other techniques to detect tampering. Anyway, the whole point of multi-factor is that each individual factor doesn't have to be perfect. Two layers that are each 90% secure are as good as one layer that is 99% secure.

    Biometrics are the worst factor; they reduce the efficacy of the other factors because they can never be changed while there will remain a nonzero number of devices that can be fooled (hence, they reduce the efficacy).

    The "modern state-of-the-art" that you refer to doesn't yet exist, but I'm sure that it will be secure when they install it in the future, in my flying car.

    --
    I'm a minority race. Save your vitriol for white people.