by
Anonymous Coward
on 2016年07月26日 21時07分
(#3053506)
If the out of band verification is to be made using a SMS message on a public mobile telephone network, the verifier SHALL verify that the pre-registered telephone number being used is actually associated with a mobile network and not with a VoIP (or other software-based) service. It then sends the SMS message to the pre-registered telephone number. Changing the pre-registered telephone number SHALL NOT be possible without two-factor authentication at the time of the change. OOB using SMS is deprecated, and will no longer be allowed in future releases of this guidance.
hiwa翻訳は読みづらいから原文貼る (スコア:3, 参考になる)
If the out of band verification is to be made using a SMS message on a public mobile telephone network, the verifier SHALL verify that the pre-registered telephone number being used is actually associated with a mobile network and not with a VoIP (or other software-based) service. It then sends the SMS message to the pre-registered telephone number. Changing the pre-registered telephone number SHALL NOT be possible without two-factor authentication at the time of the change. OOB using SMS is deprecated, and will no longer be allowed in future releases of this guidance.
https://techcrunch.com/2016/07/25/nist-declares-the-age-of-sms-based-2... [techcrunch.com]
- 二要素認証にSMSを使う場合は、番号が(攻撃者の受け取りやすい)VoIP等ではないことを確認しなければならない(SHALL)。
- 登録済電話番号の変更をする際には、二要素認証が必須でなければならない(SHALL NOT)。
- Out-of-band 認証へのSMSの使用は非推奨(deprecated)であり、将来のガイダンスでは認められないものとする。