Two-factor authentication has long been accepted as one way to log into online systems. Using the secondary authentication method is widely recognized as a more secure practice than only requiring a password.
Two-factor authentication, or 2FA as it's commonly called, is the term that refers to the act of requiring more than one way to get into an account each time it's accessed. So instead of simply putting in a password, you do that in addition to inputting a protected PIN number or randomly generated access code. Some online games even come with a security token that you can download to your phone in order to generate a random number every time you log in.
This method is generally accepted as more secure. It isn't impervious to hackers, according to CNET contributors Seth Rosenblatt and Jason Cipriani, but it does offer a level of protection greater than the alternative. However, there are a few key flaws in this system that needed to be brought to light.
This brings us to the recent news surrounding the U.S. National Institute of Standards and Technology and the federal authentication guidelines that the institute reevaluates on a regular basis.
What's the scoop?
In July 2016, the NIST released the latest draft of the Digital Authentication Guideline, which is a living document that details the federal standards for internet security. The NIST placed four documents on GitHub and will be soliciting feedback from the public regarding some of the proposed changes to the authentication guidelines.
With this latest draft, the NIST announced that the document would undergo a "transformational change," according to Security ID News, of Special Publication 800-63. A good portion of the comments and editing will take place on GitHub throughout the rest of this summer. Among the changes, GCN contributor Mark Rockwell reported, is a requirement for individuals to establish their identities via a detailed and complicated series of events.
"Under NIST's scheme for digital authentication, individuals would establish their identity through what's called identity assurance and prove their credentials to access a given system through authenticator assurance – possibly a chipped and encrypted identity card," Rockwell wrote.
Also included in the proposed changes to the document is a reference to 2FA that utilizes SMS. In the future, the NIST will ban certain functions of the SMS 2FA. The actual notice reads: "[Out of band verification] using SMS is deprecated, and will no longer be allowed in future releases of this guidance." This means that eventually, internet users will no longer be able to use text messaging services as their second layer of authentication.
The reasoning behind this change is simple: There's no guarantee that the message won't get sent to an older phone. In addition, it may be easy for hackers to intercept these randomly generated codes if the phone is connected to a VoIP service or something similar. The codes can also be stolen by Android malware on infected devices, making SMS-based 2FA not entirely secure. Hence, the need for the NIST to deprecate future use of the technology via over-the-air transmissions makes sense.
Should you be worried?
In all, 2FA is something that provides a critical second layer of protection to users that may have only been hiding behind their passwords – and this is a better level than nothing at all. Some flaws in the way 2FA works, however, point to the need to invest in better cyber security tools down the line as well.
Ars Technica contributor Kapil Haresh wrote that two-factor authentication used by Apple to protect users' Apple IDs has another key flaw: It doesn't work when Lost Mode is enabled after the phone has been pinged using the "Find My iPhone" feature. This could lead to hackers being able to ascertain the location of an iPhone user and scheduling a remote erasure of all data and information on connected devices.
Trend Micro researchers had some succinct advice for security administrators, however: An additional level of security is always preferable to the alternative.
"In the security industry there is a tendency to let the perfect be the enemy of the good," Trend Micro technical communications researcher Jonathan Leopando wrote. "This is a good example. 2FA via text messages, for all its flaws, is still an improvement over an ordinary username-and-password system. In addition, the barriers to entry – cost, ease of use and hardware requirements – are lower than with more secure 2FA systems."
The bottom line is: You shouldn't entrust your entire online presence to two-factor authentication, but it's better than having nothing between you and the hackers. While this method of internet access still provides a stronger security framework than having no strategy at all, the best defense against hackers and malware is still cyber security software.