Time Is Running Out For This Popular Online Security Technique
So-called two-factor authentication is a must these days when logging into online accounts. Passwords aren’t enough—it’s much safer to also have to enter proof that you are in possession of a certain device that belongs to you, such as your smartphone.
The proof generally takes the form of a one-time code, generated or received by your phone or some other device, like a special security dongle. However, as Fortune noted last month, it’s not so safe to have that code sent to you via text message, as services such as Facebook (FB) and Twitter (TWTR) still do.
For that reason, the U.S. National Institute of Standards and Technology (NIST) is now poised to ban the use of SMS-based two-factor authentication codes for services that plug into government IT systems.
Get Data Sheet, Fortune’s technology newsletter.
In short, NIST wants people to use other, safer means for generating these codes—such as apps like Google (GOOG) Authenticator, or special USB dongles.
Two-factor authentication using SMS is being phased out, or “deprecated” in industry jargon—it’s acceptable for now, but “will no longer be allowed in future releases of this guidance.”
Many banks and other operators of online services still send two-factor authentication codes to their customers via SMS. However, experts have known for years that there are vulnerabilities in the system.
For more on cybersecurity, watch:
People can call up your phone company pretending to be you, then convince the support desk there to redirect your messages to a different SIM card. Hackers can exploit flaws in the ancient SS7 protocol that underpins SMS, in order to fool the phone network into thinking their device is your phone.
If your adversary is particularly well-resourced, they may even have an IMSI-catcher—a device that appears to your phone as the normal phone network— in order to intercept your messages.
“Due to the risk that SMS messages may be intercepted or redirected, implementers of new systems should carefully consider alternative authenticators,” NIST’s draft reads. No kidding.