Sunday July 31, 2016

U.S. Government Says SMS Codes Aren’t Safe

The National Institute of Standards and Technology has declared that SMS is dangerous for two-factor authentication. One reason they give is that SMS is linked to a SIM, which can be compromised by manipulating carriers. Suitable alternatives would include hardware (dongles) or software (apps) solutions that generate unique keys.

The goal of a 2FA system is to help guarantee that the person logging in with your password is actually you rather than a hacker who has guessed or stolen your password, or recovered it by cracking the passwords in a password dump from a hacked web site. "Two factor" refers to the fact that the system uses more than one way of verifying your identity آ– the password is the first factor, and the SMS code is one way of providing a second factor. There are several problems with SMS-based systems that led NIST to decide that SMS-based systems are insecure.