A U.S. government agency said\u00a0the end is nigh for SMS-based two-factor authentication, citing a\u00a0lack of security around the feature.<\/p>\n
The latest\u00a0draft version of the Digital Authentication Guideline<\/a> issued this week by the U.S. National Institute for Standards and Technology (NIST) said the practice would soon be discouraged.<\/p>\n \n\t\t\t\t\t\t\tJune 21, 2016 , 4:26 pm<\/span>\n\t\t\t\t\t\t<\/p>\n<\/article>\n \n\t\t\t\t\t\t\tJune 6, 2016 , 2:15 pm<\/span>\n\t\t\t\t\t\t<\/p>\n<\/article>\n \n\t\t\t\t\t\t\tMay 3, 2016 , 11:36 am<\/span>\n\t\t\t\t\t\t<\/p>\n<\/article><\/div>\n The Digital Authentication Guideline sets the rules that all authentication software eventually follows.<\/p>\n Acknowledging there\u2019s a\u00a0risk that\u00a0SMS messages can be intercepted or redirected, NIST is encouraging any service considering adopting two-factor authentication in the future to\u00a0\u201cconsider alternative authenticators.\u201d<\/p>\n In the document, NIST claims that services need to verify the phone number it sends codes to belongs to a legitimate network and not a VoIP service, before stating\u00a0the method may be discouraged in future releases.<\/p>\n \u201cIf the out of band verification is to be made using a SMS message on a public mobile telephone network, the verifier SHALL verify that the pre-registered telephone number being used is actually associated with a mobile network and not with a VoIP (or other software-based) service.\u201d<\/p>\n<\/blockquote>\n \u201cChanging the pre-registered telephone number SHALL NOT be possible without two-factor authentication at the time of the change. OOB using SMS is deprecated, and may no longer be allowed in future releases of this guidance,\u201d the document reads.<\/p>\n The document does support biometrics, at least in limited use, for authentication. As long as biometrics is used alongside another authentication factor, it\u2019s permissible, NIST claims. Biometric authentication on its own can have false match rates, can be spoofed, and \u201cdo not provide confidence in the authentication of the subscriber by themselves.\u201d<\/p>\n NIST has stressed the document is a public preview, meaning the processes aren\u2019t in play yet and are still subject to comment. NIST will seek comments for roughly two weeks and follow it up by a 2-3 week period for editors to review those comments.<\/p>\n The agency is seeking comment on SP 800-63-3 via GitHub. While the platform may seem like an unorthodox choice, NIST said\u00a0it considers the site a robust forum for drafting the document and is encouraging substantive technical and procedural comments. NIST first called on the public to help the agency map out the guideline when it previewed it on GitHub initially,\u00a0in May<\/a>.<\/p>\n Several services have already begun moving away from\u00a0two-factor authentication.\u00a0Facebook\u00a0uses something called Code Generator as part of its login approvals feature. When a user turns it on, they\u2019re asked for a special security code, which changes every thirty seconds, upon logging in.\u00a0Google has a similar function, Google Authenticator, that supplies users with\u00a0a six- to eight-digit one-time password. Companies such as\u00a0Authy and Duo specialize in solutions as well.<\/p>\n Two-factor authentication has become almost ubiquitous over the last several years. The functionality, which allows services to send users a code to enter, along with a password, as an added layer of security has been adopted across multiple industries. Companies such as\u00a0Apple<\/a>, Dropbox<\/a>, Snapchat<\/a>, Evernote<\/a>, and Twitter<\/a> have adopted two-factor authentication to combat account takeovers and compromises.<\/p>\n Still, 2FA is no silver bullet; attackers and researchers alike have poked\u00a0holes in the method, mainly via man in the middle attacks.\u00a0Two years<\/a> ago, researchers from Duo\u00a0found a way to bypass the mechanism used in\u00a0PayPal and transfer money from a victim\u2019s account to any recipient they chose. Vulnerabilities have also surfaced in plugins offered by WordPress<\/a>, Google<\/a>, and Instagram<\/a> that enabled hackers to bypass two-factor authentication.<\/p>\n<\/div><\/div>\n via https:\/\/ift.tt\/29ZUTxz<\/p>\n","protected":false},"excerpt":{"rendered":" A U.S. government agency said\u00a0the end is nigh for SMS-based two-factor authentication, citing a\u00a0lack of security around the feature. The latest\u00a0draft version of the Digital Authentication Guideline issued this week by the U.S. National Institute for Standards and Technology (NIST) said the practice would soon be discouraged. Related Posts June 21, 2016 , 4:26 pm … <\/p>\nRelated Posts<\/h3>\n
\n