SoylentNews is people
SoylentNews is powered by your submissions, so send in your scoop. Only 17 submissions in the queue.
SoylentNews
An article in TechCrunch describes changes that the National Institute for Standards and Technology (NIST) is considering to its Digital Authentication Guideline:
For now, services can continue with SMS as long as it isn't via a service that virtualizes phone numbers — the risk of exposure and tampering there might be considered too great. NIST isn't telling for now, but more info will come out as the comment period wears on. But before long all use of SMS will be frowned on, as the bolded passage clearly indicates.
Additional comments are available on Bruce Schneier's blog.
This discussion has been archived.
No new comments can be posted.
NIST Recommends Against Using SMS for 2-Factor Authentication
|
Log In/Create an Account
| Top
| 12 comments
| Search Discussion
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
QOTD:
The forest may be quiet, but that doesn't mean
the snakes have gone away.
(Score: 4, Interesting) by Snotnose on Saturday August 06 2016, @04:04AM
Apparently they were prepared to accept it as long as SMS traveled via SS7 [wikipedia.org], the side channel that cell systems us to tell your handset a call is arriving. Phone companies used to jealously guard this channel, and charge blood for a text message because it used this signaling channel for non-call related messages.
I worked for Qualcomm while the IS-95 spec was being hammered out (early 90s). Part of that spec defined SMS (Simple Message Service) messages. In the CDMA protocol, every few ms (20 ms if memory serves) the handset calls the base station and says "hey, got anything for me?" The BS either says yay, in which case a call is setup, or nay, in which case the handset goes to sleep for another few ms.
Turns out, one of the messages in that transaction had to be 255 bytes long, but the information itself left something like 152 unused bytes. So SMS was created to use those unused bytes (yes chillen, that is why Twitter has a 140 byte limit). Nobody expected SMS messages to be used for much. 90% of my communication now is either face to face, or via texting.
We were flabbergasted when phone companies not only charged $0.10 per SMS, but consumers paid it! This is data the phone company had to send anyway, it cost them more to keep track of who sent what and do billing than it did to actually send the damned messages!
Fast forward a year or two, and people are using SMS all over the place. This was totally unexpected.
Now, some 20+ years later, I get unlimited messaging, some data cap I never go anywhere near reaching, and 60 minutes of talk time. I average maybe 10 minutes/month of talk time. Unfortunately, most of those minutes are the couple hours every few months I spend on hold waiting for tech support.
When the dust settled America realized it was saved by a porn star.
(Score: 2) by Snotnose on Saturday August 06 2016, @04:06AM
I really wish I could edit a post within a minute or two of submitting it. Or get better with the preview button.
When the dust settled America realized it was saved by a porn star.
(Score: 2, Funny) by tftp on Saturday August 06 2016, @06:09AM
I really wish I could edit a post within a minute or two of submitting it.
You can already, and it is very easy:
> diff -u foo1 foo2
--- foo1 2016-08-05 23:01:54.475719756 -0700
+++ foo2 2016-08-05 23:02:34.796049558 -0700
@@ -1,5 +1,5 @@
Now, some 20+ years later, I get unlimited messaging, some data cap
-I never go anywhere near reaching, and 60 minutes of talk time.
+I never go anywhere near reaching, and 600 minutes of talk time.
I average maybe 10 minutes/month of talk time. Unfortunately,
Anyone who cares can apply the patch - and you may choose to not care about the rest :-)