EU Login is the system allowing users to prove they really are the owner of their account, often granting them access to sensitive data that no one else should be able to access on their behalf. From the most famous political actors to individual citizen, the mission of EU Login is the same: ensure that only authorised people can access the data stored across EU Institutions.
It is with this mission in mind that authentication methods are frequently re-assessed based on cybersecurity related events happening all over the world. Our colleagues from CERT-EU have published a series of cybersecurity guidelines in their effort to keep EU citizen data as safe as possible, the SMS One-Time Password (OTP) was already pinned down as a weak link of the authentication chain. You may find many stories over the internet about cellular phone network operators "recycling" phone numbers, SIM swapping or cellular network impersonation attacks. Those target end users, but the EU Login authentication system itself has also been targeted by attackers, flooding the system with illegitimate SMS.
The European Commission has taken the decision to remove the SMS One-Time Password (OTP) from the available two-factor authentication methods within EU Login. This will help protecting individual user's data as well as data accessible to privileged accounts to keep EU's data as secured as possible.
Of course we do realise that this removes one of the most popular and easy-to-set up authentication method. We have therefore worked very hard to integrate more options. Please refer to our article What second factor can I configure with my account? : it lists the available options and also features a short movie that will help you set up alternative authentication methods with your EU Login account.
Our documentation still lists the SMS authentication option because it is still available today. This option will be phased out for the European Commission users by 15/01/2025, while it will be removed for all other users by end of June 2025. The documentation will be updated accordingly after this change is fully implemented.
Thank you for your understanding and your contribution to keep EU data safe!
Details
- Publication date
- 7 November 2024
- Author
- Directorate-General for Digital Services