Thursday, August 4, 2016

The United States Department of Being Behind The Times

NIST is no longer recommending two-factor authentication systems that use SMS, because of their many insecurities.
(this is where when you log in, the server sends a text to your phone with a one time number to enter as part of the login process)

The SSA said all new and existing ‘my Social Security’ account holders will need to provide a cell phone number. The agency said it will use the mobile numbers to send users an 8-digit code via text message that needs to be entered along with a username and password to log in to the site.
I'm a fan of using SMS text messages to add security to the login routine.  The risk that NIST is pointing out is that as more phones move to Voice Over IP (VoIP), it is getting easier to spoof the SIP number.  They are probably right that this is an emerging threat, but for now I still recommend doing it (and in fact I do it all the time).

1 comment:

WOZ said...

I'm not nearly as concerned with the user facing security the SSA in forcing on us. It's the layers of bureaucracy that has already compromised what I've contributed over the last 50 years.