NIST: SMS shouldn't be used for two-factor authentication

The US National Institute of Standards and Technology (NIST) has published a preview of documents that are recommending against the use of SMS as an authenticator for two-factor authentication. As a result, Apple may need to develop a dedicated app or use another app for two-factor authentication.

If two-factor authentication is turned on for verification of Apple IDs, for example, a validation code is sent to a smartphone and then entered on the device the owner is trying to validate. While NIST says that SMS can be used for two-factor authentication as long as a phone number is linked to a real cellular network and is not a virtual phone number, future guidelines will do away with the use of SMS.

Apple's two-factor authentication scheme is entirely voluntary and doesn't rely totally on phone numbers, but without using SMS, a person must have a second Apple device -- say, a Mac or iPad -- available to display validation codes. It's likely that Apple would have to develop an authenticator app similar to Google Authenticator, not only for Apple devices but also for Android and Windows.