National Institute of Standards and Technology (NIST) has published a recent draft. In its Special Publication 800-63B Digital Authentication Guideline, they have made a shocking observation. SMS as a way of two-factor authentication just does not cut it. The Institute is pointing tech industry to use better authentification alternatives. Due to their unreliable nature, people may use them in the wrong way.They should not be your top choice when seeking two-factor authentication for privacy. Of course, this puts a lot of computer giants at a bad spot. Google, Twitter and Facebook are companies that use SMS messaging as security enhancement practice. They are not the only ones. Same thing applies to banking institutions and there the stakes are much higher. With the use of a password secret code, the bank account holder can access the specific account. Well, the latter he can find on his phone.
Unfortunately, there are many hackers that use many methods for acquiring the SMS texts. Their goal is to use them to their benefit. There is specific malware that redirects the messages. Impersonation is another method that hackers use. Pretending to be the owner of the account, they call the companies and demand their SMS on their device. Sad to say that this is easier than what we would have imagined! Services like VoIP are also vulnerable, since hackers can obtain sensitive data by them. For all these reasons, NIST recommends more powerful alternatives as soon as possible.
As an example, let’s take Google. The company has already launched the use of an Authentication app. This is still a draft. Yet, it is certain that security experts have already diagnosed problems with SMS messaging. Multi factor authentication ought to become impenetrable. This is why new ways have to replace the old tactics. There are various tools already in use. These tools and products aim at eliminating the threats of privacy breaches. The use of fingerprints has become more popular over time, for instance.
Keith Graham, CTO at SecureAuth, has applauded the recent draft of NIST and is in favor of the proposal. Quoting his words about the sophistication of hackers and their success in cracking SMS privacy: “The days of vanilla two-factor approaches are no longer enough for security,”. But, though, we cannot ignore the fact that SMS is still a popular choice. There is a wide spectrum of people using this means. So, it is a convenient way for many Internet users. Until something as useful comes up, we are not sure that SMS is going anywhere anytime soon.
Before closing our article, it is important to note that NIST wants public feedback on the draft. So, if you think you have something to say on the topic, do not hesitate to do that!
Top/Featured Image: By Bluetrox / Wikipedia