The U.S. National Institute for Standards and Technology (NIST) says in a new draft of its Digital Authentication Guideline that SMS-based two-factor authentication should not be used due to security concerns. “[Out of band verification] using SMS is deprecated, and will no longer be allowed in future releases of this guidance,” the documents reads.
As Engadget notes, NIST guidelines aren’t binding. But federal agencies typically abide by them, and the private sector will likely fall in line, too.
So what’s next then? SMS was a nice alternative because everyone already has a cell phone, and carries it, so having the code sent there made a lot of sense. If we move away from that, where do we go? Authenticator apps are ok, but they require a data connection to the internet. That isn’t as easy, especially if I’m overseas or somewhere where there is no cell service. Now, to get into my email, for example, I have to attach my laptop, and my cell phone, to wifi just to get the code. Not impossible, but not really as easy.
Plus, once we move away from SMS, hackers will be right after those apps too. It never ends.