Catch up on stories from the past week (and beyond) at the Slashdot story archive


Forgot your password?
Get HideMyAss! VPN, PC Mag's Top 10 VPNs of 2016 for 55% off for a Limited Time ×

NIST Prepares To Ban SMS-Based Two-Factor Authentication ( 146

An anonymous reader writes: "The U.S. National Institute for Standards and Technology (NIST) has released the latest draft version of the Digital Authentication Guideline that contains language hinting at a future ban of SMS-based Two-Factor Authentication (2FA)," reports Softpedia. The NIST DAG draft argues that SMS-based two-factor authentication is an insecure process because the phone may not always be in possession of the phone number, and because in the case of VoIP connections, SMS messages may be intercepted and not delivered to the phone. The guideline recommends the usage of tokens and software cryptographic authenticators instead. Even biometrics authentication is considered safe, under one condition: "Biometrics SHALL be used with another authentication factor (something you know or something you have)," the guideline's draft reads. The NIST DAG draft reads in part: "If the out of band verification is to be made using a SMS message on a public mobile telephone network, the verifier SHALL verify that the pre-registered telephone number being used is actually associated with a mobile network and not with a VoIP (or other software-based) service. It then sends the SMS message to the pre-registered telephone number. Changing the pre-registered telephone number SHALL NOT be possible without two-factor authentication at the time of the change. OOB using SMS is deprecated, and will no longer be allowed in future releases of this guidance."

Comment Meaningless (Score 1) 504

"Solving" the problem centrally is meaningless, because you cannot know, for example, how much more I would enjoy an extra set of forks than you would enjoy a spare bicycle tire. Only the people involved in the outcomes can negotiate this directly, as peers, to determine a mutually-agreeable answer. An algorithm cannot do it in their place.

Comment Re:Encryption (Score 1) 315

Incorrect. Prolonged (non-routine) detentions must be based on reasonable suspicion. Even then, the duration of the detention must be limited to the time necessary to confirm or dispel that suspicion. And even if there is reasonable suspicion, under no circumstances can the duration exceed 48 hours without a judicial hearing.

Exactly. So expect to spend 47 hours and 59 minutes in jail and don't expect and apology after you pay a lawyer to help get you out.

Comment Re:They sound completely insane (Score 2) 326

I think of this a lot when I hear about atheism really "catching on." I wonder what percentage of the population has always thought the whole thing was nonsense and never wanted to spend the social capital (or the time in prison, depending on the culture) to say anything about it. That's why I can't really get all riled up about the "militant atheists" who supposedly mess everything up. The key service they offer is to provide cover to atheists to be honest about not believing.

It's also just like gay rights: Everybody hated gay people when nobody knew any of them. As soon as everybody had a totally normal friend who admitted to being gay, we stopped thinking it was a great idea to kick them around, resulting in more people coming out. We didn't just suddenly create a bunch of gay people over the course of a generation.

Comment Re:They sound completely insane (Score 5, Insightful) 326

Here's something I've often wondered: If you have a custom of throwing people who don't believe in the volcano god into a volcano, how long will it take after everybody stops believing in the volcano god for somebody to ask, "So do we all really still believe this stuff?"

I'm thinking it might be a pretty long time.

Slashdot Top Deals

"You must have an IQ of at least half a million." -- Popeye