How useful is it to use two-step verification to protect your online accounts? It seems the National Institute of Standards and Technology (NIST) isn’t a big fan, according to the latest proposal that might put an end to it.
Known in the mainstream simply as two-step verification, the multi-factor authentication and two-factor authentication involves an extra layer of online security by sending you a unique code through SMS so you can log into one of your digital accounts.
Theoretically, hackers would not be able to access your account protected with the two-step verification even if they have your username and password. While ill-willed people would also need access to your phone to hack you, the two-step verification is not a blanket security that forever safeguards your accounts.
Recent malware like Stagefright and HummingBad are proof of that. They show that people are really inventive regarding new ways to remotely access your phone which raises concerns over the protection offered by two-step verification.
With the rise to popularity of Google Voice, Skype and other services of the sort, the question about the security of transmission protocols involved in two-step verification systems has still to find an answer.
Consequently, NIST wants service providers and websites to consider alternative authenticators to increase the safety and integrity of such systems.
“Due to the risk that SMS messages may be intercepted or redirected, implementers of new systems should carefully consider alternative authenticators,” according to the government agency’s draft.
The draft’s language seems to suggest that NIST wants agencies to invest in alternative solutions for two-step verification systems that don’t use the SMS service. Some of the possibilities include apps that create one-time codes and biometrics.
At the same time, NIST also warns that using SMS messages in safety protocols “may no longer be allowed in future releases of this guidance.”
In other words, it’s possible that the use of the two-step verification method might soon come to an end. Michael Garcia, deputy director of authentication research program NSTIC at NIST, put the matter more clearly:
“We’re not saying federal agencies drop SMS, don’t use it anymore,” he said. “But, we are saying, if you’re making new investments, you should consider that in your decision-making.”