A new draft of the US National Institute for Standards and Technology’s (NIST) Digital Authentication Guidelines could lead to Apple and other technology firms dropping the use of SMS for two-factor authentication.
At any rate, the changes are numerous, but perhaps most relevant for Joe and Jane Six-Pack is the active discouragement of using SMS as an “out of band authenticator” — essentially, a method for delivering a one-time use code for 2FA.
Two-factor authentication via a text message has become a popular way for companies and users to add another layer of security to accounts. Apple’s own Apple ID and iCloud services use SMS messages to send a passcode to enable two-factor authentication. The message is sent to a “trusted” device, phone number, or via a phone call.
If the out of band verification is to be made using a SMS message on a public mobile telephone network, the verifier SHALL verify that the pre-registered telephone number being used is actually associated with a mobile network and not with a VoIP (or other software-based) service. It then sends the SMS message to the pre-registered telephone number. Changing the pre-registered telephone number SHALL NOT be possible without two-factor authentication at the time of the change. OOB using SMS is deprecated, and will no longer be allowed in future releases of this guidance.
While NIST guidelines do not have the same legal weight as an actual law, most major companies do follow the guidelines, which means Apple and other firms are likely drop support for SMS authentication once the recommendations are published.
For more information about how two-factor authentication for Apple accounts currently works, visit the Apple Support website.