New NIST Guidelines Mean Apple and Others Could Stop Using SMS for Two-Factor Authentication

Posted in Apple, Apple News on 26/07/2016 by Chris Hauk


A new draft of the US National Institute for Standards and Technology’s (NIST) Digital Authentication Guidelines could lead to Apple and other technology firms dropping the use of SMS for two-factor authentication.

New NIST Guidelines Mean Apple and Others Could Stop Using SMS for Two-Factor Authentication


At any rate, the changes are numerous, but perhaps most relevant for Joe and Jane Six-Pack is the active discouragement of using SMS as an “out of band authenticator” — essentially, a method for delivering a one-time use code for 2FA.

Two-factor authentication via a text message has become a popular way for companies and users to add another layer of security to accounts. Apple’s own Apple ID and iCloud services use SMS messages to send a passcode to enable two-factor authentication. The message is sent to a “trusted” device, phone number, or via a phone call.

If the out of band verification is to be made using a SMS message on a public mobile telephone network, the verifier SHALL verify that the pre-registered telephone number being used is actually associated with a mobile network and not with a VoIP (or other software-based) service. It then sends the SMS message to the pre-registered telephone number. Changing the pre-registered telephone number SHALL NOT be possible without two-factor authentication at the time of the change. OOB using SMS is deprecated, and will no longer be allowed in future releases of this guidance.

While NIST guidelines do not have the same legal weight as an actual law, most major companies do follow the guidelines, which means Apple and other firms are likely drop support for SMS authentication once the recommendations are published.

For more information about how two-factor authentication for Apple accounts currently works, visit the Apple Support website.


Chris Hauk

MacTrast Senior Editor, and self-described "magnificent bastard," Chris Hauk owns Phoenix Rising Services and writes for everyone's favorite "bad movie" website, Big Bad Drive-In.

His first Apple product was an iPod Classic 9 years ago, and he has since added a MacBook Pro, a number of iPads, iPhones, and multiple Apple TVs to his collection.

He lives somewhere in the deep Southern part of America. Yes, he has to pump in both sunshine and the Internet.