Two factor ID is insecure

back-door-to-hellA US government standards body has released a draft version of the Digital Authentication Guideline that contains language hinting at a future ban of SMS-based Two-Factor Authentication on the grounds of poor security.

For those who came in late, two-factor security is rather popular with the likes of Google who seem to use it to ask for you to provide them with your mobile phone number as part of a way of identifying you.

But the  US National Institute for Standards and Technology (NIST) which sets the rules used by software makers to build secure services, and by government and private agencies to assess the security of their services and software is not happy with the method.

It says that while SMS-based 2FA still acceptable, it will not be for long.

NIST officials are discouraging companies from using SMS-based authentication, even saying that SMS-based 2FA might be considered insecure in future versions of the guideline. Basically,  SMS-based two-factor authentication is an insecure process because the phone may not always be in possession of the phone.

While the guideline recommends that apps use tokens and software cryptographic authenticators, these may also take the form of phone apps or devices that can be stolen or “temporarily borrowed” as well, just like phones.

The NIST guideline says this risk as acceptable, but unlike tokens and cryptographic authenticators, SMS is considered insecure, especially on VoIP connections. Some VoIP services allow the hijacking of SMS messages.

Instead it suggests that biometrics might be a more secure way of dealing with all this. In the meantime it is probably better not to give Google your mobile number.