Apple, others may soon be barred from using SMS for two-factor authentication

“One of the options available when using Apple’s two-factor authentication (2FA) is to have a code sent to you via SMS,” Ben Lovejoy reports for 9to5Mac. “The US National Institute for Standards and Technology, which sets the standards for authentication software, says that text messaging is not sufficiently secure, and that its use for two-factor authentication will in future be barred.”

“While NIST guidelines do not have the power of law, most major companies do abide by them, suggesting that Apple is likely to drop support for SMS authentication once the recommendation is published,” Lovejoy reports. “If you’re not already using two-factor authentication, it is highly recommended: check out our how-to guide.”

Read more in the full article here.

“The measure is being enforced because SMS is relatively insecure. The phone may not be in the original owner’s possession, for example, or the SMS may be hijacked by a VoIP service, Softpedia notes,” Michelle Starr reports for CNET. “The relevant paragraph of the draft reads: ‘[Out of band verification] using SMS is deprecated, and will no longer be allowed in future releases of this guidance.'”

Starr reports, “However, the draft also notes that two-factor authentication via a secure application or biometrics, such as a fingerprint scanner, may still be used.”

Read more in the full article here.

MacDailyNews Take: 2FA vis SMS should have gone the way of the dodo already.


  1. Question: under this definition, is iMessage considered a “secure application?” I realize SMS can be sent via the iMessage app, but I would assume that Apple’s 2FA to an Apple device that uses iMessage would be secure (especially considering all the brouhaha over iMessage’s security and unbreakable encryption).

  2. SMS is not going to go anywhere in the near future. It is the most used messaging thing in the world. Billions of people use it every day (around 5 billion people.)

  3. So exactly how do they propose to do two-factor authentication? Phone calls won’t work for the same reason because most people no longer have a land line. email, many people get their email on their phones. People need to get the second factor now, not by snail mail, when they’re needing to get into accounts. Frankly, the odds of a crook having both the AppleID email and possession of a registered device for the second factor are slim. Apple’s iMessage, which requires an exchange of signatures and encryption keys, is far more secure than the wide open straight messaging of other systems, so they postulate their hypothetical crook now also has to have the ability to have a man-in-the-middle ability. Again, a very minuscule probability. This would be throwing the baby the out with the bath water because some baby once drowned in a bathtub due to parental inattention. In fact, it is more akin to never giving the baby a bath ever again for that reason!

  4. If you lose your phone and don’t have it securely locked, I can see how 2FA would be undermined: the perpetrator uses your phone web browser to log in, then gets the 2FA code sent to the stolen device. Easy peasy.

    Other than this scenario, 2FA via SMS is probably more secure than no 2FA via SMS (at least, for people who have not lost their phone). So it sounds like the moral of the story is: be absolutely sure your phone is secure. Activate _both_ fingerprint and strong password protection. And use automatic wipe with failed login attempts. At least until better security becomes available.

    Or am I missing something?

Reader Feedback

This site uses Akismet to reduce spam. Learn how your comment data is processed.