The 2-Factor Authentication You Know and Trust May Get an Overhaul


When someone's Twitter account suddenly starts spewing out-of-character remarks or tweeting images of scantily clad women, we usually assume that the person has been hacked — and that they could have prevented the breach with two-factor authentication. 

Two-factor authentication, or 2FA, often refers to the extra step of entering a random passcode when you log in to a social network. For example, if you have two-factor authentication enabled on Twitter, the platform will send a six-digit code to your phone each time you sign in as an added layer of protection. Two-factor authentication is common practice these days now that hacked accounts seem as prevalent as the early-aughts butt dial. 

But this security measure may not be as dependable as you think: It's vulnerable to hijacking, and it doesn't ensure that the person entering the code actually has the phone in hand. A hacker could still gain access to your accounts.

The latest draft of the U.S. National Institute of Standards and Technology's Digital Authentication Guideline points to a future where two-factor authentication gets a major overhaul. 

In the draft, NIST proposes getting rid of SMS-based two-factor authentication, CNET reported. 

"Ability to receive email messages or other types of instant message does not generally prove the possession of a specific device, so they shall not be used as out-of-band authentication methods," NIST states in the draft. In other words, with SMS-based authentication, you can't guarantee that the intended recipient actually has the physical device. Or, if the individual uses a voice-over internet protocol service — which provides phone service through a broadband internet connection instead of a traditional network — hackers can hijack the SMS message.

Is there a better security method? You bet: fingerprints. If SMS-based two-factor authentication were successfully banned as a security protocol, users could still use biometric features to confirm their identities, according to the draft guideline. 

So in the future, if you enable login verification on Twitter, rather than getting a six-digit code sent to your phone to then input to access the service, you could just press your sweet fingerprint into your Touch ID button, and voila. This would prove that you are definitely in possession of your device and that you are in fact uniquely you. 

Hold your fingers close, darlings.

Read more: