New guidelines may push Apple to switch away from SMS for two-factor authentication

article thumbnail

AppleInsider is supported by its audience and may earn commission as an Amazon Associate and affiliate partner on qualifying purchases. These affiliate partnerships do not influence our editorial content.

Newly-published guidelines could lead Apple and other companies to find an alternative to SMS for two-factor authentication, such as dedicated apps, according to reports.

The U.S. National Institute of Standards and Technology has published a public preview of upcoming documents which specifically recommend against using SMS as an "out of band authenticator," TechCrunch noted. Such systems — in Apple's case used to authenticate Apple IDs — can send a verification code to a smartphone, which then has to be entered on the original device a person is trying to use.

The problem, according to the Institute, is that people can use virtual phone numbers in place of real ones, undermining the security of the process. For the time moment the NIST is continuing to accept SMS for two-factor authentication as long as a number is linked to a real cellular network, but future guidelines will deprecate SMS entirely.

Apple's system is optional, and not strictly dependent on phone numbers. Without one, though, people must have a second Apple device handy to display verification codes.

To keep two-factor authentication practical while meeting NIST standards, Apple would likely have to develop authenticator apps for other platforms, such as Android and Windows. Companies like Google and Valve already offer multi-platform apps for their services.