six colors

by Jason Snell & Dan Moren

Support this Site

Become a Six Colors member and get access to an exclusive podcast, private community, and monthly newsletter!

Linked by Dan Moren

Apple’s made two-factor authentication too easy, but not more secure

Nice piece over at TidBITS from our friend Glenn Fleishman details the handy autofill feature for two-factor authentication codes in iOS 12 and Mojave, but points out—more importantly—that we shouldn’t be using SMS for those codes in the first place:

Many Web sites and apps now offer two-factor authentication (2FA), which requires you to enter a short numeric code—the so-called second factor—in addition to your username and password. These temporary codes are either sent to you via text message or are generated by an authentication app. In iOS 12 and macOS 10.14 Mojave, Apple has streamlined entering such codes when sent via an SMS text message, reducing multiple steps and keyboard entry to a single tap or click.

I explain just below how this new feature works, but I also want to raise a caution flag. SMS is no longer a reliable way to send a second factor because it’s too easy for even small-time attackers to intercept those messages (see “Facebook Shows Why SMS Isn’t Ideal for Two-Factor Authentication,” 19 February 2018). It’s time for Web sites that use 2FA to move away from SMS.