NIST is working on a set of documents that update its recommended standards on a variety of authentication and security issues. One of the changes puts an end to SMS-based two-factor authentication. Albeit a bit too late for Linus Tech Tips, who got hacked because of SMS-based 2FA.
The National Institute of Standards and Technology (NIST) is a non-regulatory agency of the United States Department of Commerce. Its goal is to “promote U.S. innovation and industrial competitiveness by advancing measurement science, standards, and technology in ways that enhance economic security and improve our quality of life.”
The new guidelines are currently available for public preview on GitHub. Using GitHub is an unusual move, but it lets people view and comment on the changes. The introduction even says, “It only seemed appropriate for us to engage where so much of our community already congregates and collaborates.”
NIST is updating current technological standards and regulations. One of the changes catches our eye: an active warning against using SMS as an “out of band authenticator”. This is when companies text you a one-time code to log into an account with 2FA setup.
For now, companies can still use text messages as a form of authentication, provided that the customer has a pre-registered phone number, and not a VoIP service. Virtual phone services like Google Voice are less secure. Eventually, though, all forms of SMS-based 2FA will come to an end.
Other proposed changes include:
- LOA decoupled into its parts
- Complete change of identity proofing
- New guides on passwords (check out our guide here)
- Removal of insecure authenticators (tokens)
- Federation requirements and recommendations
- Bigger applicability of biometrics (we will cover this in a future article)
- New privacy requirements
- Usability considerations
Two Factor Authentication
In a previous article, we wrote that two-factor authentication (2FA) also known as two-step verification, is a method to keep your online accounts safe from hackers accessing your account. As an example, if you have 2FA set up with Facebook, you need to enter a unique code before you can log in. For some websites like Facebook, this code is generated by an authenticator app.
Security experts recommend using an authenticator app over SMS, and the new changes provide better protection for people that use two-factor authentication (and you should!). An article by Wired said,
“SMS is just not the best way to do this,” says security researcher and forensics expert Jonathan Zdziarski. “It’s depending on your mobile phone as a means of authentication [in a way] that can be socially engineered out of your control.”
All of these apps do the same thing, with maybe one or two differentiating features. 1Password is probably the most versatile app of the three since it is a password manager. Google Authenticator and Authy are free, but 1Password is a paid app because it has more features, and it is not just an authenticator app.
Right now there’s nothing much to worry about. These new changes will only affect companies that text customers one-use codes. This is a good thing because it is possible for hackers to intercept your text messages to get the code. Using an authenticator app is much more secure.