Even though the number of websites and services that use two-step verification as a way to secure accounts has increased over the years, the National Institute of Standards and Technology’s latest proposal might put a halt to the verification method.
In its mainstream incarnation, two-step verification, also known as multi-factor authentication and two-factor authentication, works by sending you a one-time code through SMS when logging into one of your digital accounts. In theory, even if someone has your username and password, they cannot access your account because you still have access to your phone. Two-step verification is not the end-all, be-all solution that will forever safeguard your accounts, but it has certainly proven resilient over time.
Unfortunately, recent malware like HummingBad and Stagefright shows that folks are finding more ways to remotely access your phone and, as such, your messages, thus raising concerns over two-step verification. Furthermore, as Slate points out, services like Skype and Google Voice have become more popular over the years, putting into question how secure transmission protocols used by two-step verification systems are.
As a result, NIST suggests the use of alternative authenticators to ensure the integrity of such systems.
“Due to the risk that SMS messages may be intercepted or redirected, implementers of new systems should carefully consider alternative authenticators,” reads the government agency’s draft.
Based on the language of the draft, it seems that NIST wants agencies to avoid making new investments into two-step verification systems that use SMS messages and, instead, invest in alternative solutions like biometrics and apps that create one-time codes. However, NIST also warns that the use of SMS messages “may no longer be allowed in future releases of this guidance,” putting into question whether there will be an expiration date on such uses.
Michael Garcia, deputy director of authentication research program NSTIC at NIST, reaffirmed the draft’s language regarding SMS-based two-step verification systems, saying that alternative solutions should be considered if entities are at a point of reinvestment.
“We’re not saying federal agencies drop SMS, don’t use it anymore,” Garcia told Slate. “But, we are saying, if you’re making new investments, you should consider that in your decision-making.”
Overall, NIST’s draft does not mean much for people with digital accounts right now, but do not be surprised if, in time, companies like Google and Apple no longer want to send you one-time codes and, instead, opt for different, more secure methods of accessing your accounts. […]