SMS to be banned as two-factor authentication system in the US

Ga77a

Well-Known Member
Joined
May 16, 2012
Messages
120
SMS to be banned as two-factor authentication system in the US

The United States will soon ban SMS as a way to implement two-factor authentication.

This article has not been written with much care. It should state that the US will ban two-factor authentication via SMS MESSAGE (or SMS Text Message). SMS is a protocol used for SIM communication. SMS is perfectly capable of AES or PSKC over OCRA, which is banking grade encryption.

I think SA is the only place that uses SMS in conversation, which seems to be creating most of the confusion. It's the equivalent of saying "I'm sending you an SMTP" instead of email.
 

deweyzeph

Executive Member
Joined
Apr 17, 2009
Messages
9,089
there will never be a safeguard against human stupidity.

Anybody can become a victim of sim-swap fraud. It doesn't matter how "stupid" or informed you are. There is nothing you can do about it as a consumer which is what makes it so scary. Of course, the scamsters still need your username and password which is where I agree the stupid part could play a part.
 

j4ck455

Executive Member
Joined
Jan 2, 2006
Messages
6,811
This article has not been written with much care. It should state that the US will ban two-factor authentication via [highlight]SMS MESSAGE[/highlight] (or SMS Text Message). SMS is a protocol used for SIM communication. SMS is perfectly capable of AES or PSKC over [highlight]OCRA[/highlight], which is banking grade encryption.

I think SA is the only place that uses SMS in conversation, which seems to be creating most of the confusion. It's the equivalent of saying "I'm sending you an SMTP" instead of email.

Are you suggesting that two-factor authentication systems in the US, currently require people to complete an authentication challenge by sending a "Text Message" instead of entering a code received via "Text Message"?

Considering that SMS is an abbreviation for Short Message Service, and while "SMS MESSAGE" does make sense (except for the CAPSLOCK), it would be less of a mouthful to say "Short Message" instead.

OCRA?
 

Vice

Expert Member
Joined
Aug 8, 2005
Messages
1,134
Well it was inevitable, there're so many "moving parts" in the system anyways...
 

Swa

Honorary Master
Joined
May 4, 2012
Messages
30,109
The problem isn't with it being used as two-factor but as primary authentication. Changing passwords should require reentering the password or a reset link through email and not an otp.
 

Ga77a

Well-Known Member
Joined
May 16, 2012
Messages
120
Are you suggesting that two-factor authentication systems in the US, currently require people to complete an authentication challenge by sending a "Text Message" instead of entering a code received via "Text Message"?

Considering that SMS is an abbreviation for Short Message Service, and while "SMS MESSAGE" does make sense (except for the CAPSLOCK), it would be less of a mouthful to say "Short Message" instead.

OCRA?

No i'm not. They use Text message OTP like we do here with most banks. This creates big problems primarily with SIM Swap fraud. I'm saying they should and will start using an authentication challenge on their mobile device sent via the SMS channel, that is not a text message.

Short Message Service does not equal SMS Message, in the same way SMTP does not equal email. They are both content that is transferred over the former mentioned protocol in each case.

OCRA = Oath Challenge Response Algorithms
 
Top