US Government Agency Calls For The End Of SMS Authentication

SHARE THIS ARTICLE

REACH US

GENERAL INQUIRY

[email protected]

ADVERTISING

[email protected]

PRESS RELEASE

[email protected]

HOTLINE

+673 222-0178 [Office Hour]

+673 223-6740 [Fax]

Upcoming Events

Prayer Times

The prayer times for Brunei-Muara and Temburong districts. For Tutong add 1 minute and for Belait add 3 minutes.

Imsak	: 05:01 AM
Subuh	: 05:11 AM
Syuruk	: 06:29 AM
Doha	: 06:51 AM
Zohor	: 12:32 PM
Asar	: 03:44 PM
Maghrib	: 06:32 PM
Isyak	: 07:42 PM

The Business Directory

Security & Privacy

Home > Security & Privacy

US Government Agency Calls For The End Of SMS Authentication

July 28th, 2016 | 09:42 AM | 1282 views

ENGADGETS.COM

There Are Other, More Secure Two-Factor Systems Around.

The US agency that sets guidelines and rules in cryptography and security matters is discouraging the use of text messaging in two-factor authentication. In the latest draft of its Digital Authentication Guideline, the National Institute of Standards and Technology (NIST) states that "[out of band authentication] using SMS is deprecated, and will no longer be allowed in future releases of this guidance." Out of band authentication means utilising a second device to verify your identity.

NIST doesn't make clear why it's deprecating SMS two-factor, but there are a few reasons that make sense. Most phones display text messages on their lock screen, meaning a would-be attacker would be able to authenticate just by looking at your phone. There are also considerable flaws in signalling protocols that make SMS more vulnerable than other methods.

NIST's guidelines aren't legally binding, but other government agencies stick by them, and the industry at large will follow. So what's the alternative to SMS? There are plenty. The most prevalent are dedicated applications that deliver a two-factor code that refreshes every 30 seconds. Google Authenticator, Authy, Duo and other apps all essentially do the same thing with slight differences in presentation and execution. If you work for a large company, you might have used hardware that works on a similar principle, such as RSA SecurID dongles.

There are still plenty of sites and services that only offer SMS-based authentication, while others such as Facebook support both app- and SMS-based methods. And, of course, there are inexplicably some services with no protection at all. Instagram is one such outlier -- it's been slowly bringing two-factor to its userbase this year, but at the time of writing has yet to complete that roll out.

Source:
courtesy of ENGADGET

by Aaron Souppouris

If you have any stories or news that you would like to share with the global online community, please feel free to share it with us by contacting us directly at [email protected]