NIST Recommends Deprecation Of SMS Two-Factor Authentication

[Lucian Armasu]

The NIST recommended that SMS out of band authentication, a form of two-factor authentication done through a separate device from the one on which you login, should be deprecated in favor of more secure alternatives.

NIST Recommends Deprecation Of SMS Two-Factor Authentication : Read more

 

[m-p-3]

Looks like Twitter might eventually have to provide 2FA over something else than SMS only, like proper Google Authenticator support.

 

[hpram99]

I'm in favor of this. SMS isn't the most reliable, and I may be in a foreign country without SMS. If I have to use my phone anyway, let me use a standard Time-based/HMAC-based token application. Google Authenticator is just one of the many TOTP apps available. I'm looking at you Valve, get rid of that stupid proprietary app that only works on Android so I can have my 2FA.

 

[velocityg4]

I hate SMS authentication. First I don't want to give the company my phone number. Second sometimes the friggin code never shows or takes a half hour. I use always on private browsing so I have to authenticate every time on some sites. It is a huge pain.

Companies need to have an option for those who want to always opt out of two factor authentication. My passwords are all randomized, rock solid and stored in an encrypted container with a practically impossible to break password. No one is going to figure it out in the first couple of tries before the account lockout kicks in.

My big worry with two factor authentication is if I lose my phone. I am royally f*****.

What would be better is if all logins allowed. Upper case, lower case, all symbol keys and fifty characters. Then allow second factor only for password resets.

I guess I can see two factor if you are rich or have access to sensitive information at a large company. I just run a small business and don't have much money. No one is going to waste their time trying to break into my accounts. When they can focus on someone with far more financial resources who is completely inept with computers.

 

[ubercake]

I'm all for making hackers put in extra effort. Keep the extra step. Most companies utilizing two-factor authentication give you the option to send the code to your cell phone or e-mail.

I like the authenticators too, but you need a new app for every service.