It might be time to say goodbye to those text messages containing PINs to help you log into your favorite banking site.
The U.S. National Institute of Standards and Technology (NIST) released a draft of its latest guidelines on digital authentication this week, and it contains a disturbing bit of news for many financial services companies: SMS notifications are not recommended for two-factor authentication due to inherent vulnerabilities.
The NIST is the part of the Department of Commerce that sets national technology standards.
NIST argues that above all, two-factor authentication is insecure because a user may not be in possession of his device. Instead, NIST recommends biometric methods of authentication, such as Apple’s Touch ID — something you are rather than something you have.
“This is a huge deal in my opinion,” said Yaniv Oz, co-founder and CEO of Hermetic Security, a startup in the current, inaugural class of the Bank Innovation INV accelerator, a sister venture to Bank Innovation. “Many banks will have to reevaluate their 2FA systems.”
Not only banks, but many tech-forward fintech players rely on the same method. Two-factor authentication employing SMS is used by the nation’s three largest banks — JPMorgan Chase, Wells Fargo, and Bank of America — as well as other banks. Fintech companies such as Circle and Coinbase, according to the site twofactorauth.org.
Some of these companies already employ alternative methods, which will make the transition away from SMS simpler, but removing an option users are comfortable with can bring problems of its own.
Tech giants such as Facebook and Google have already moved away from SMS-based two-factor authorization, in favor of codes generated within their own app.
In addition to the device being stolen or otherwise in the wrong hands, NIST points out that some VoIP services are able to take over SMS messages. (Some phone users allow children or spouses to add fingerprints to Touch ID in order to share devices, but that’s another matter.)
This remains a draft version of the digital guidelines, but it appears that SMS’s days as an authentication enabler are, er, numbered.