Stories
Slash Boxes
Comments

SoylentNews is people

NIST Recommends Against Using SMS for 2-Factor Authentication

posted by cmn32480 on Friday August 05 2016, @11:51PM   Printer-friendly
from the you-mean-plain-text-isn't-safe dept.

Bill Dimm writes:

An article in TechCrunch describes changes that the National Institute for Standards and Technology (NIST) is considering to its Digital Authentication Guideline:

For now, services can continue with SMS as long as it isn't via a service that virtualizes phone numbers — the risk of exposure and tampering there might be considered too great. NIST isn't telling for now, but more info will come out as the comment period wears on. But before long all use of SMS will be frowned on, as the bolded passage clearly indicates.

Additional comments are available on Bruce Schneier's blog.

Original Submission

 
This discussion has been archived. No new comments can be posted.
NIST Recommends Against Using SMS for 2-Factor Authentication | Log In/Create an Account | Top | 12 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 0) by Anonymous Coward on Saturday August 06 2016, @12:11PM

    by Anonymous Coward on Saturday August 06 2016, @12:11PM (#384742)

    > ... for my debit card, ...

    Am I missing something here? When a card is needed instead of cash (eg., renting a car effectively requires a card), I thought debit cards were to be avoided and credit cards were the way to go?

  • (Score: 2) by Scruffy Beard 2 on Saturday August 06 2016, @03:33PM

    by Scruffy Beard 2 (6030) on Saturday August 06 2016, @03:33PM (#384769)

    Debit cards don't work for car rentals. Ask me how I know. :P

    Credit card companies (banks) like it that way.

    With debit cards, you are not going into debt with every purchase. That is why you pay the fees instead of the merchant.

  • (Score: 3, Informative) by theluggage on Saturday August 06 2016, @04:58PM

    by theluggage (1797) on Saturday August 06 2016, @04:58PM (#384788)

    Am I missing something here?

    Yes. This isn't about using the card for online shopping (where a credit card may have certain legal advantages): its about an additional authorisation factor for online banking & direct money transfers.

    Basically, I can go online to get statements, move money between my accounts and make money transfers to registered payees with just the usual sort of password login, but if I want to register a new payee, the website sends me a challenge code: I need to plug my chip&pin debit card into the reader (think: cheap calculator with a card slot, not linked to the computer) unlock it with the card PIN, punch in the challenge and then type the resulting response into the computer. So, someone who hacks my online banking account can cause a fair amount of havoc but they can't add themselves as a payee and transfer out large sums without my card.

    NB: "Chip & Pin" is the system that has been working nicely in the UK, EU and elsewhere for the last decade whereby all debit/credit cards now have an embedded chip that can do challenge/response authentication once unlocked by the users PIN (and therefore means that everybody has a handy token that could be used for 2-factor auth). I believe that, in the US, this system is known as "terminal out of order - please swipe card and sign", and PINs are somehow associated with the Number of the Beast - which is probably why the major online retailers don't support card readers (can't see why that would be hard - they already mostly re-direct you to the card company website for SecureCode/Verified By Visa/etc).