- Joined
- Aug 20, 2006
- Messages
- 13,000
The National Institute of Standards and Technology has declared that SMS is dangerous for two-factor authentication. One reason they give is that SMS is linked to a SIM, which can be compromised by manipulating carriers. Suitable alternatives would include hardware (dongles) or software (apps) solutions that generate unique keys.
The goal of a 2FA system is to help guarantee that the person logging in with your password is actually you rather than a hacker who has guessed or stolen your password, or recovered it by cracking the passwords in a password dump from a hacked web site. “Two factor” refers to the fact that the system uses more than one way of verifying your identity – the password is the first factor, and the SMS code is one way of providing a second factor. There are several problems with SMS-based systems that led NIST to decide that SMS-based systems are insecure.
The goal of a 2FA system is to help guarantee that the person logging in with your password is actually you rather than a hacker who has guessed or stolen your password, or recovered it by cracking the passwords in a password dump from a hacked web site. “Two factor” refers to the fact that the system uses more than one way of verifying your identity – the password is the first factor, and the SMS code is one way of providing a second factor. There are several problems with SMS-based systems that led NIST to decide that SMS-based systems are insecure.