SMS Two-Factor Authentication is unreliable but still in use

smartphone-sms

Two-factor authentication (2FA), also known as multi-factor authentication, might not be enough, the US National Institute of Standards and Technology (NIST) has repeatedly warned us this year. Meant to provide an extra layer of security by sending a code to a token generator or an SMS to a phone only the user has access to, this option has annoyed users and not necessarily stopped hackers.

In 2011, Google became the first company to understand that the original first layer of online security consisting of username and password was no longer a reliable option to authenticate users, so they implemented two-factor authentication. Other companies soon followed, and multi-factor authentication started being used to withdraw cash, access internet banking, make payments and access social media accounts and emails.

The problem with getting codes on your phone is that phone cloning is not difficult and, with so many malware strains going after tokens and operating systems for mobile, the user will probably not even know the phone has been tampered with.

NIST, a non-regulatory federal agency, actually suggested eliminating two-factor authentication through SMS and voice due to unreliability and high risk, and pushed for additional control methods.

“Out-of-band authentication using the PSTN (SMS or voice) is deprecated, and is being considered for removal in future editions of this guideline,” reads their Digital Authentication Guideline. “If the out-of-band verification is to be made using the public switched telephone network (PSTN), the verifier SHALL verify that the pre-registered telephone number being used is not associated with a VoIP (or other software-based) service.”

As far as online security is concerned, we still have a long way to go because hackers are getting competitive and developing complex schemes. Until recently, SMS two-factor authentication was the best option to secure accounts online, as passwords have become easy to hack. Although this option might not be 100 percent reliable, it’s still better than nothing, so users are encouraged to add this layer of security to their accounts that allow it.

Leave a Reply