Two Factor Authentication and SMS -- No More
All are, by now, no doubt familiar with two factor authentication. It is the idea that when I try and log-in somewhere besides my user name and password I have to give additional authentication that verifies my access using some "out of channel" methodology. For example, when I log in to Lawfare, I can verify my identity by receiving a "passcode" via SMS text and entering it; or I can get a phone call; or I can use a dual authentication program that allows me to approve the access from my cell phone.
Published by The Lawfare Institute
in Cooperation With
All are, by now, no doubt familiar with two factor authentication. It is the idea that when I try and log-in somewhere besides my user name and password I have to give additional authentication that verifies my access using some "out of channel" methodology. For example, when I log in to Lawfare, I can verify my identity by receiving a "passcode" via SMS text and entering it; or I can get a phone call; or I can use a dual authentication program that allows me to approve the access from my cell phone.
Two factor authentication is, of course, a good thing. It is a security plus. But there is a problem if our security plus is, itself vulnerable. That's the tenative conclusion of NIST -- that two-factor authentication through SMS text messaging is not sufficiently secure. Here's what C/Net has to say on the topic: "In the latest draft of the Digital Authentication Guideline, the rules by which authentication software must abide, the US National Institute for Standards and Technology is preparing to get rid of SMS-based two-factor authentication. . . . The relevant paragraph of the draft reads: "[Out of band verification] using SMS is deprecated, and will no longer be allowed in future releases of this guidance."
Secure applications, like Duo, will be allowed, but everyone (including Lawfare) needs to change their practice -- yet another example of how security practices are struggling to keep up with malevolent actors.