Is iPhone’s SMS-Based Two-Factor Authentication an Obsolete Security Measure?

Two-factor authentication (2FA) is an added security measure that is commonly featured across Apple devices, designed to prevent strangers or unauthorized persons from accessing your account on new devices even if they know your password.

For instance, if you have an iPhone and attempt to access your account from a newly purchased iMac, you will receive a prompt and a verification code on your iPhone that you’ll need to enter to signal that you trust the device. Trusted devices include iPhones, iPads, iMacs, and iPods that using OS X El Capitan or iOS 9.

It’s relatively simply to use and activate. To turn on 2FA, one simply needs to go tap Settings, then Cloud, then Apple ID. After that, tap Password & Security and toggle the switch to activate Two-Factor Authentication.

However, a new Digital Authentication Guideline released by the National Institute of Standards and Technology (NIST), which releases rules for securing electronic communications, suggests that SMS-based 2FA may be obsolete, raising the possibility that the popular security measure may be phased out eventually. The NIST declares in its guidelines that “[out of band authentication] using SMS is deprecated, and will no longer be allowed in future releases of this guidance,” Engadget reports.

Out of band authentication refers to two-factor authentication in which a secondary device is used to verify access to the primary one.

Their argument makes sense. While 2FA adds an extra layer of security, it has one gaping flaw. Because iPhones display new text messages on their lock screen, an intruder would merely have to look at your screen to find the verification code. Beyond which, Engadget notes that SMS messaging has signaling flaws that renders it vulnerable to intrusion, allowing attackers to forward your authentication messages before you even know you’ve received them. Specifically, if the phone is associated with a VoIP network (a software-based service which virtualizes phone numbers) rather than an actual mobile network, SMS messages can be intercepted and rerouted.

While the NIST guidelines are not legally binding codes, they are widely accepted and have great influence in industry and government standards. As the guideline suggests, using SMS is a major vulnerability and avoiding reliance on it is part of the answer. There are dedicated 2FA applications that automatically refresh the verification codes every 30 seconds, such as Google Authenticator and RSASecurID, according to Techcrunch, that avoid the pitfalls of SMS.

The standards note that biometric authentication is safe, only if used in conjunction with an additional authentication measure. Other than that, the NIST condones the use of software cryptographic authenticators and tokens.

You can peruse the guidelines and standards yourself on Github, where the NIST has released its Digital Authentication Guideline.

Stay tuned to see how Apple upgrades its two-factor authentication procedures.

Do you think two-factor authentication is obsolete? Let us know in the comments!