When it comes to two-factor authentication, SMS isn’t exactly the most secure method. Thankfully, AT&T and Verizon just announced a partnership today with T-Mobile and Sprint to improve the security of mobile authentication. Carriers rarely work together, but it would appear that this is a vital enough concern for customers to encourage collaboration.
For the unfamiliar, two-factor authentication (2FA) is a security mechanism in which something known (a password) is combined with something you are known to have (like a phone). This can manifest via a code sent to you when you attempt to login or a request for a key generated by a system in your possession, such as Google’s Authenticator. It’s an easy way to drastically increase the security of your accounts, and you should probably enable it for every site and service that you use which supports it.
An example of SMS 2FA
Although two-factor authentication is a necessity in the modern era, and although there are secure methods of using it, unfortunately, a large number of services require that codes be delivered via relatively insecure systems like SMS. Combine that with the documented ease of social engineering which carriers provide via their support channels, and SMS 2FA only serves to protect you from passing interests.
The technical details behind this collaboration remain a mystery, though both companies reference “network-based device authentication, geo-location and SIM card recognition” as mechanisms for addressing the issue. The easier solution might just be to train their tech support to better resist social engineering, or for companies that use SMS 2FA to just offer a more secure authentication mechanism, but I digress.
This new “Mobile Authentication Taskforce” is expected to begin bearing fruit sometime in 2018, for both “enterprises and customers.” With the US’ four largest carriers working together on this in an open way, whatever solutions they discover should be interoperable. And open security standards are good for consumers.
In the meantime, it might be better to move whatever you can over to a more secure method like Authenticator.