Skip to main content

Apple & others may soon be barred from using SMS for two-factor authentication

iphone6-ios9-verification-text-notification

One of the options available when using Apple’s two-factor authentication (2FA) is to have a code sent to you via SMS. The US National Institute for Standards and Technology, which sets the standards for authentication software, says that text messaging is not sufficiently secure, and that its use for two-factor authentication will in future be barred …

While NIST guidelines do not have the power of law, most major companies do abide by them, suggesting that Apple is likely to drop support for SMS authentication once the recommendation is published.

Apple’s current options for two-factor authentication are:

  • a code sent to a trusted device (iPhone, iPad, iPod Touch or Mac)
  • a phone call to a trusted phone number
  • a code sent by SMS to a trusted phone number

The current NIST draft says only that companies must ensure that trusted phone numbers are associated with a mobile network, and not a virtual number operating via a VoIP service. This is because VoIP services could be compromised. However, a single sentence at the end of the relevant text says that ‘Out of band [verification] using SMS is deprecated, and will no longer be allowed in future releases of this guidance.’

One potential source of confusion here is that the term ‘out of band’ can be used in different ways. It refers to a physically separate channel, which in telecoms terms is sometimes used to refer to VoIP services. However, in security terms, logging-in on the web and receiving a verification code by phone would also be considered out of band. The reference here appears to be to the latter, suggesting that all use of SMS will be barred.

If you’re not already using two-factor authentication, it is highly recommended: check out our how-to guide.

Via CNET

FTC: We use income earning auto affiliate links. More.

You’re reading 9to5Mac — experts who break news about Apple and its surrounding ecosystem, day after day. Be sure to check out our homepage for all the latest news, and follow 9to5Mac on Twitter, Facebook, and LinkedIn to stay in the loop. Don’t know where to start? Check out our exclusive stories, reviews, how-tos, and subscribe to our YouTube channel

Comments

Author

Avatar for Ben Lovejoy Ben Lovejoy

Ben Lovejoy is a British technology writer and EU Editor for 9to5Mac. He’s known for his op-eds and diary pieces, exploring his experience of Apple products over time, for a more rounded review. He also writes fiction, with two technothriller novels, a couple of SF shorts and a rom-com!


Ben Lovejoy's favorite gear