The default option for Google’s two-factor authentication (2FA) is to have a code sent to you via SMS. The US National Institute for Standards and Technology, which sets the standards for authentication software, says that text messaging is not sufficiently secure, and that its use for two-factor authentication will in future be barred …
While NIST guidelines do not have the power of law, most major companies do abide by them, suggesting that Google is likely to drop support for SMS authentication once the recommendation is published.
Google’s current options for two-factor authentication are:
- a code sent by SMS to a trusted phone number (the default option)
- a phone call to a trusted phone number
- a code provided by the Authenticator app
- Google Prompt
The current NIST draft says only that companies must ensure that trusted phone numbers are associated with a mobile network, and not a virtual number operating via a VoIP service. This is because VoIP services could be compromised. However, a single sentence at the end of the relevant text says that ‘Out of band [verification] using SMS is deprecated, and will no longer be allowed in future releases of this guidance.’
One potential source of confusion here is that the term ‘out of band’ can be used in different ways. It refers to a physically separate channel, which in telecoms terms is sometimes used to refer to VoIP services. However, in security terms, logging-in on the web and receiving a verification code by phone would also be considered out of band. The reference here appears to be to the latter, suggesting that all use of SMS will be barred.
Google is likely to promote its recently-introduced Google Prompt option as the new default for compatible devices, and Google Authenticator as the alternative.