New guidelines may push Apple to switch away from SMS for two-factor authentication

AppleInsider

Newly-published guidelines could lead Apple and other companies to find an alternative to SMS for two-factor authentication, such as dedicated apps, according to reports.

The U.S. National Institute of Standards and Technology has published a public preview of upcoming documents which specifically recommend against using SMS as an "out of band authenticator," TechCrunch noted. Such systems -- in Apple's case used to authenticate Apple IDs -- can send a verification code to a smartphone, which then has to be entered on the original device a person is trying to use.

The problem, according to the Institute, is that people can use virtual phone numbers in place of real ones, undermining the security of the process. For the time moment the NIST is continuing to accept SMS for two-factor authentication as long as a number is linked to a real cellular network, but future guidelines will deprecate SMS entirely.

Apple's system is optional, and not strictly dependent on phone numbers. Without one, though, people must have a second Apple device handy to display verification codes.

To keep two-factor authentication practical while meeting NIST standards, Apple would likely have to develop authenticator apps for other platforms, such as Android and Windows. Companies like Google and Valve already offer multi-platform apps for their services.

mknelson

"The problem, according to the Institute, is that people can use virtual phone numbers in place of real ones, undermining the security of the process. "

Are they talking about people creating fake numbers to attach to their own accounts to receive the 2FA SMS messages?

hpaulh

The real problem with email account security is the opportunity for intruders to mess around with the accounts. EXAMPLE: My wife has a very unique email address -- *********@me.com -- she has owned it from day one when @me.com accounts were made available by Apple. She has never once requested to Apple to change her password, or report she forgot her password, etc. Yet over the past 3 years she has weekly had individuals making these requests thus causing her account to be locked by Apple and requiring us to wait 8 hours later before we can unlock the account. All Apple would have to do to stop this merry-go-round would be to require these phony requests to be authenticated with a text message code or email message request for confirmation that the owner actually was the one making the request (or maybe there's an even better way). It's really nuts. Apple tech's response to us several times has been, "just give up the email address and go to something not so enticing to thieves." Like it's our fault we were early adopters and got a prime email address. Come on Apple!!!!

turbopgt

I'm confused...Apple doesn't use SMS now.

It sends encrypted push notifications to your trusted devices. At least that's how it works for me. Am I missing something?

nhughes

TurboPGT said:

I'm confused...Apple doesn't use SMS now.

It sends encrypted push notifications to your trusted devices. At least that's how it works for me. Am I missing something?

There is an option to send via SMS. You can choose how the verification number is sent.

maestro64

TurboPGT said:

I'm confused...Apple doesn't use SMS now.

It sends encrypted push notifications to your trusted devices. At least that's how it works for me. Am I missing something?

no you're not, Apple is using imessaging to send the authorization which is encrypted both way. and you can not set up a fake cell phone number to have it sent to another number. This is a google/android issue. Apple solved the problem before others figured it out. But let not forget the government would like our communications less secure. I find it funny NIST as well as DARPA have been working with companies to improve secure communication. and we have the Justice Department and FBI fighting to make it less secure. 

soli

TurboPGT said:

I'm confused...Apple doesn't use SMS now.

It sends encrypted push notifications to your trusted devices. At least that's how it works for me. Am I missing something?

1) iCloud currently uses SMS for 2FA. It's not their default for iDevice users, but it's an option.

2) iCloud isn't the only use of 2FA on an iPhone. There are plenty of other internet-facing services that benefit from 2FA that use SMS. Drropbox, for example.

edited July 2016

roger_fingas

maestro64 said:

TurboPGT said:

I'm confused...Apple doesn't use SMS now.

It sends encrypted push notifications to your trusted devices. At least that's how it works for me. Am I missing something?

no you're not, Apple is using imessaging to send the authorization which is encrypted both way. and you can not set up a fake cell phone number to have it sent to another number. This is a google/android issue. Apple solved the problem before others figured it out. But let not forget the government would like our communications less secure. I find it funny NIST as well as DARPA have been working with companies to improve secure communication. and we have the Justice Department and FBI fighting to make it less secure. 

Apple offers SMS authentication as an option, and it's the only two-factor authentication option that works if you only own a single Apple product.

gatorguy

maestro64 said:

TurboPGT said:

I'm confused...Apple doesn't use SMS now.

It sends encrypted push notifications to your trusted devices. At least that's how it works for me. Am I missing something?

no you're not, Apple is using imessaging to send the authorization which is encrypted both way. and you can not set up a fake cell phone number to have it sent to another number. This is a google/android issue. Apple solved the problem before others figured it out. But let not forget the government would like our communications less secure. I find it funny NIST as well as DARPA have been working with companies to improve secure communication. and we have the Justice Department and FBI fighting to make it less secure. 

Maestro, here's Apple's support doc on two-step verification, required before two-factor authentication. Yeah, sounds confusing with similar names,

"Which SMS numbers should I verify for my account?

You're required to verify at least one SMS-capable phone number for your account. You should consider verifying all SMS-capable phone numbers that you normally use with your iPhone or another mobile phone. You should also consider verifying an SMS-capable phone number used by someone close to you, such as a spouse or other family member. You can use this number if you're temporarily without access to your own devices."

So even with two-factor authentication, the more recent of the two, a valid phone number capable of receiving SMS is required. 

"Trusted phone numbers

A trusted phone number is a number that can be used to receive verification codes by text or phone call. You must verify at least one trusted phone number to enroll in two-factor authentication. You should also consider verifying other phone numbers you can access, such as a home phone, or a number used by a family member or close friend. You can use these numbers if you temporarily can't access your own devices."

Keep your trusted phone numbers up to date

To use two-factor authentication, you need at least one trusted phone number on file where you can receive verification codes. You can update your trusted phone numbers when you follow these steps:

1. Go to your Apple ID account page.
2. Sign in with your Apple ID.
3. Go to the Security section and click Edit.

If you want to add a phone number, click Add a Trusted Phone Number and enter the phone number. Choose to verify the number with a text or phone call, and click Continue. To remove a trusted phone number, click next to the phone number you want to remove."

In any event I don't think there's much danger from the way it's currently set-up on either Apple or Google services but with the update in NIST guidelines Apple will likely change it anyway. Google has already started the process, coming out with Google Prompt to avoid the SMS issues. 

edited July 2016

howmanoid

We need a standard for auth apps. I do not want to have to install dozens of them for different services.

dysamoria

What if a person only has one device of any kind at all? A single phone only, and no traditional computer? What will the NIST-approved process be? Not everyone has multiple computing devices.

gatorguy

howmanoid said:

We need a standard for auth apps. I do not want to have to install dozens of them for different services.

There's several companies that use Google as the backend for authentication. There's a discussion of it at iMore.
http://www.imore.com/how-set-two-step-authentication-google-and-gmail

gwydion

maestro64 said:

TurboPGT said:

I'm confused...Apple doesn't use SMS now.

It sends encrypted push notifications to your trusted devices. At least that's how it works for me. Am I missing something?

no you're not, Apple is using imessaging to send the authorization which is encrypted both way. and you can not set up a fake cell phone number to have it sent to another number. This is a google/android issue. Apple solved the problem before others figured it out. But let not forget the government would like our communications less secure. I find it funny NIST as well as DARPA have been working with companies to improve secure communication. and we have the Justice Department and FBI fighting to make it less secure. 

What? How it is a Google/Android issue when they have been using open standard OTP tokens for years, SMS is just an additional option.

I don't have an iOS device, so I'm forced to use SMS for authentication. Tell me what has solved Apple in this case

gwydion

dysamoria said:

What if a person only has one device of any kind at all? A single phone only, and no traditional computer? What will the NIST-approved process be? Not everyone has multiple computing devices.

https://en.wikipedia.org/wiki/Time-based_One-time_Password_Algorithm

This is what a lot of companies use (Github, Google, Microsoft, Facebook, Lastpass, etc)

soli

dysamoria said:

What if a person only has one device of any kind at all? A single phone only, and no traditional computer? What will the NIST-approved process be? Not everyone has multiple computing devices.

I don't understand your queries. If one has only one device in which to access an account then 2FA clearly wouldn't be an option. TOTP also wouldn't work as it requires a second device to be used for security reasons*, even if it's only a basic SecurID security token fob.

Bottom line: 2FA is a modern security tool because we tend to tend to have multiple, secure, connected devices on hand.

* I guess a smartphone user could use TOTP with a SW key generator on that  device but that would invalidate any additional security offered by such a setup.

edited July 2016

gwydion

Soli said:

dysamoria said:

What if a person only has one device of any kind at all? A single phone only, and no traditional computer? What will the NIST-approved process be? Not everyone has multiple computing devices.

I don't understand your queries. If one has only one device in which to access an account then 2FA clearly wouldn't be an option. TOTP also wouldn't work as it requires a second device to be used for security reasons*, even if it's only a basic SecurID security token fob.

Bottom line: 2FA is a modern security tool because we tend to tend to have multiple, secure, connected devices on hand.

* I guess a smartphone user could use TOTP with a SW key generator on that  device but that would invalidate any additional security offered by such a setup.

TOPT apps have their own pawssord

lostkiwi

hpaulh said:

The real problem with email account security is the opportunity for intruders to mess around with the accounts. EXAMPLE: My wife has a very unique email address -- *********@me.com -- she has owned it from day one when @me.com accounts were made available by Apple. She has never once requested to Apple to change her password, or report she forgot her password, etc. Yet over the past 3 years she has weekly had individuals making these requests thus causing her account to be locked by Apple and requiring us to wait 8 hours later before we can unlock the account. All Apple would have to do to stop this merry-go-round would be to require these phony requests to be authenticated with a text message code or email message request for confirmation that the owner actually was the one making the request (or maybe there's an even better way). It's really nuts. Apple tech's response to us several times has been, "just give up the email address and go to something not so enticing to thieves." Like it's our fault we were early adopters and got a prime email address. Come on Apple!!!!

I have real sympathy for you as I have had similar experiences. I have lost count how many times I have had to reset the Apple ID password. I also do want want to give up the email address. 

dysamoria

Soli said:

dysamoria said:

What if a person only has one device of any kind at all? A single phone only, and no traditional computer? What will the NIST-approved process be? Not everyone has multiple computing devices.

I don't understand your queries. If one has only one device in which to access an account then 2FA clearly wouldn't be an option. TOTP also wouldn't work as it requires a second device to be used for security reasons*, even if it's only a basic SecurID security token fob.

Bottom line: 2FA is a modern security tool because we tend to tend to have multiple, secure, connected devices on hand.

* I guess a smartphone user could use TOTP with a SW key generator on that  device but that would invalidate any additional security offered by such a setup.

Maybe my query was poorly worded. Sorry.

Say I'm logging into a pay service from my phone and I only have just that device. If I cannot require verifying future log in attempts by having another identification channel I have access to (such as SMS text message to a cell number I own, to verify I'm not someone else with my stolen login credentials), then how else can you use two-step with only that one device?

If you cannot use a SMS or a "voice text" to a land line, the only other way is to use a security app? How is that app verified as being used by me, and not by another party with my login credentials to generate keys? Is there two-step verification with the security app? If so, what if it cannot use a SMS message per the new rules? If the app is removed it loses any local encrypted key. If it needs to be installed on a new device, how is it then still used by existing services looking for the old key to verify I was the original account creator?

i must be missing something. My experience with two-step verification is that any time I log into a service using it, I'm good after the first verification. If I use another browser or device, or clear my browser data, I have to re-verify I am the account creator by that second channel of communication (text messaging to my cell). If the NIST says I can't use my cell phone as that second channel of verification, what do you use?

edited July 2016