Wednesday, August 3, 2016
NIST no longer recommends TFA on SMS
"NIST no longer recommends TFA on SMS" -- lots of acronyms! NIST is the National Institute of Standards and Technology. TFA is two-factor authentication and SMS is the common way texting is done on a smartphone. TFA requires a second item when logging in, e.g. for Gmail you enter your name and password which triggers Google to send a text (SMS) which a code that you also enter -- two factors: password and texted code. In this way, if someone has stolen your password, they will be unable to log in unless they also stole and accessed your phone. SMS fails in multiple ways. One is a malware app on the phone. Another is social engineering (conning) the phone company to yield access to the phone. I believe that the latter has been more common than the former. TFA can also be done with an authenticator app on the phone and that is still recommended by NIST. For example, Google has an authenticator app.