If there’s one thing we know about internet users, it’s that they often forget to use strong passwords to secure their online accounts. Countless studies have shown that too many people rely on passwords that are incredibly easy to guess, such as the one conducted by password management firm SplashData, which cited “password” and “123456” as the two most common passwords in existence.
The problem is that while many people recognize that their passwords are insecure, they are loath to change them. It’s often easier just to use the same simple word on multiple accounts, despite the obvious insecurity.
Two-factor authentication was supposed to be the big solution for those types of internet users. The most common form of this system sends users an SMS message every time they enter their password into an online account. That message contains a unique code, which they can subsequently enter to gain access. In effect, this means that even thieves who steal passwords cannot enter accounts secured by two-factor authentication.
Unfortunately, a new report suggests that this popular security measure may not be all that it is cracked up to be.
Recently, the National Institute of Standards and Technology (NIST) released a draft of its proposed Digital Authentication Guideline 800-63B, which is directed at federal agencies. While the report still endorsed the use of multiple factors in security, it actually advised people to stop using SMS messages as one of those factors.
The problem? SMS messages are getting much easier to hack, which could render the protection capabilities of two-factor authentication moot.
“What we’re seeing now is that the investment required by a malicious actor [to hack SMS] is going down, it’s getting easier to do,” Michael Garcia, the deputy director of authentication research program NSTIC at NIST, told Slate. “The scalability of that is sufficiently high that it’s really becoming a problem. It’s certainly better than just a password to use SMS and password, but it’s insufficiently secure for a lot of applications.”
For instance, the report noted that there is an increased chance of SMS messages being intercepted by third-parties. This is partly because of the increase in the number of VoIP communication services (Google Voice, Skype, etc.). which make it harder to tell whether a message is being sent over a cellular network, or something else.
There are other technologies that the NIST believes offer more security. Biometrics is becoming more common, such as on smartphones with fingerprint scanners built in. There is also hardware that will not allow users to log in unless they are holding specific tokens or dongles, which generate single-use codes and broadcast those to the device.
It’s important to turn on additional security measures for your most important online accounts, such as email or financial services. But users should know that the risk of identity theft never fully goes away.
An identity theft protection service like Identity Guard can help by monitoring your credit files, Social Security Number and public records. Our service can alert you to certain activity that could be indicative of fraud, allowing you to take action.