As part of Apple’s two-step authentication service it’s possible for users to confirm their identity via an SMS sent to a trusted phone number.
That is about to change, however, according to the latest draft of the Digital Authentication Guideline, which reveals that the U.S. National Institute for Standards and Technology is set to ban all SMS-based two-factor authentication systems.
The reason? That SMS is far from a secure system, since the phone it’s sent to may not be in the original owner’s possession — while the message could also be hijacked be a VoIP (Voice over Internet Protocol) service.
“[Out of band verification] using SMS is deprecated, and will no longer be allowed in future releases of this guidance,” the relevant passage of the new Digital Authentication Guideline reads.
While Apple is bound to conform to whatever the Digital Authentication Guideline lays out, it’s worth noting that this isn’t the end of its (highly useful) two-step authentication service. Instead Apple will have to confirm user’s identities with other, more secure method — such as Touch ID.
Source: CNET
Luke Dormehl is a U.K.-based journalist and author, with a background working in documentary film for Channel 4 and the BBC. He is the author of The Apple Revolution and The Formula: How Algorithms Solve All Our Problems … and Create More, both published by Penguin/Random House. His tech writing has also appeared in Wired, Fast Company, Techmeme and other publications.
8 responses to “U.S. to ban Apple and others from SMS two-step authentication”
Read the headline: thought this was going to be outrageous and very stupid
Read the article: learned that SMS authentication is way more insecure than I thought it could be. Not outraged
Just because they said so?
If I want to use SMS for my two factor, it should be up to me. In every case before a two factor is sent, they ask where I want them sent. If I have my phone obviously no noels does. So send it to my phone. If I am really worried about the VOIP, then I can choose a different method. In short; DON’T BAN SOMETHING, LET THE USER DECIDE!
Yep, exactly compliant with the Apple’s philosophy… User choices!
The headline is just plain click-bait. NIST issue guidelines. They aren’t banning anything.
I’m still waiting for Apple to support 2FA in my country… It’s very annoying not to be able to use it at all.
They already have an alternative to SMS — you can have the code sent to a “trusted device” and it pushes the code to the phone.
Read the headline: thought this was going to be outrageous and very stupid
Read the article: realized this was outrageous and very stupid and also completely fabricated
1. Apple wasn’t mentioned ever
2. No one is making anything illegal
3. No one is banning anything
*sigh* this article should just be deleted for being the most embarrassing post on the site