New guidelines may push Apple to switch away from SMS for two-factor authentication
Newly-published guidelines could lead Apple and other companies to find an alternative to SMS for two-factor authentication, such as dedicated apps, according to reports.
The U.S. National Institute of Standards and Technology has published a public preview of upcoming documents which specifically recommend against using SMS as an "out of band authenticator," TechCrunch noted. Such systems -- in Apple's case used to authenticate Apple IDs -- can send a verification code to a smartphone, which then has to be entered on the original device a person is trying to use.
The problem, according to the Institute, is that people can use virtual phone numbers in place of real ones, undermining the security of the process. For the time moment the NIST is continuing to accept SMS for two-factor authentication as long as a number is linked to a real cellular network, but future guidelines will deprecate SMS entirely.
Apple's system is optional, and not strictly dependent on phone numbers. Without one, though, people must have a second Apple device handy to display verification codes.
To keep two-factor authentication practical while meeting NIST standards, Apple would likely have to develop authenticator apps for other platforms, such as Android and Windows. Companies like Google and Valve already offer multi-platform apps for their services.
The U.S. National Institute of Standards and Technology has published a public preview of upcoming documents which specifically recommend against using SMS as an "out of band authenticator," TechCrunch noted. Such systems -- in Apple's case used to authenticate Apple IDs -- can send a verification code to a smartphone, which then has to be entered on the original device a person is trying to use.
The problem, according to the Institute, is that people can use virtual phone numbers in place of real ones, undermining the security of the process. For the time moment the NIST is continuing to accept SMS for two-factor authentication as long as a number is linked to a real cellular network, but future guidelines will deprecate SMS entirely.
Apple's system is optional, and not strictly dependent on phone numbers. Without one, though, people must have a second Apple device handy to display verification codes.
To keep two-factor authentication practical while meeting NIST standards, Apple would likely have to develop authenticator apps for other platforms, such as Android and Windows. Companies like Google and Valve already offer multi-platform apps for their services.
Comments
Are they talking about people creating fake numbers to attach to their own accounts to receive the 2FA SMS messages?
It sends encrypted push notifications to your trusted devices. At least that's how it works for me. Am I missing something?
no you're not, Apple is using imessaging to send the authorization which is encrypted both way. and you can not set up a fake cell phone number to have it sent to another number. This is a google/android issue. Apple solved the problem before others figured it out. But let not forget the government would like our communications less secure. I find it funny NIST as well as DARPA have been working with companies to improve secure communication. and we have the Justice Department and FBI fighting to make it less secure.
2) iCloud isn't the only use of 2FA on an iPhone. There are plenty of other internet-facing services that benefit from 2FA that use SMS. Drropbox, for example.
"Which SMS numbers should I verify for my account?
You're required to verify at least one SMS-capable phone number for your account. You should consider verifying all SMS-capable phone numbers that you normally use with your iPhone or another mobile phone. You should also consider verifying an SMS-capable phone number used by someone close to you, such as a spouse or other family member. You can use this number if you're temporarily without access to your own devices."
So even with two-factor authentication, the more recent of the two, a valid phone number capable of receiving SMS is required.
"Trusted phone numbers
A trusted phone number is a number that can be used to receive verification codes by text or phone call. You must verify at least one trusted phone number to enroll in two-factor authentication. You should also consider verifying other phone numbers you can access, such as a home phone, or a number used by a family member or close friend. You can use these numbers if you temporarily can't access your own devices."
Keep your trusted phone numbers up to date
To use two-factor authentication, you need at least one trusted phone number on file where you can receive verification codes. You can update your trusted phone numbers when you follow these steps:
If you want to add a phone number, click Add a Trusted Phone Number and enter the phone number. Choose to verify the number with a text or phone call, and click Continue. To remove a trusted phone number, click next to the phone number you want to remove."
In any event I don't think there's much danger from the way it's currently set-up on either Apple or Google services but with the update in NIST guidelines Apple will likely change it anyway. Google has already started the process, coming out with Google Prompt to avoid the SMS issues.
http://www.imore.com/how-set-two-step-authentication-google-and-gmail
What? How it is a Google/Android issue when they have been using open standard OTP tokens for years, SMS is just an additional option.
I don't have an iOS device, so I'm forced to use SMS for authentication. Tell me what has solved Apple in this case
https://en.wikipedia.org/wiki/Time-based_One-time_Password_Algorithm
This is what a lot of companies use (Github, Google, Microsoft, Facebook, Lastpass, etc)
Bottom line: 2FA is a modern security tool because we tend to tend to have multiple, secure, connected devices on hand.
* I guess a smartphone user could use TOTP with a SW key generator on that device but that would invalidate any additional security offered by such a setup.
TOPT apps have their own pawssord
Say I'm logging into a pay service from my phone and I only have just that device. If I cannot require verifying future log in attempts by having another identification channel I have access to (such as SMS text message to a cell number I own, to verify I'm not someone else with my stolen login credentials), then how else can you use two-step with only that one device?
If you cannot use a SMS or a "voice text" to a land line, the only other way is to use a security app? How is that app verified as being used by me, and not by another party with my login credentials to generate keys? Is there two-step verification with the security app? If so, what if it cannot use a SMS message per the new rules? If the app is removed it loses any local encrypted key. If it needs to be installed on a new device, how is it then still used by existing services looking for the old key to verify I was the original account creator?
i must be missing something. My experience with two-step verification is that any time I log into a service using it, I'm good after the first verification. If I use another browser or device, or clear my browser data, I have to re-verify I am the account creator by that second channel of communication (text messaging to my cell). If the NIST says I can't use my cell phone as that second channel of verification, what do you use?