Conversation

Reminder: SMS 2FA is still meaningful. Large scale account take over study (3.3Billion accounts): SMS Auth was effective against: 100% Automated password stuffing 96% Bulk phishing 76% Targeted attacks U2F is *even* better! Use it! Mudge & Niels: youtu.be/SOQgABDSYZE?t=

Quote Tweet

Frank Rieger

@frank_rieger

Jul 15, 2020

Even if the current Twitter authentication problems turn out to be something different, its a good time to re-iterate: 2FA that is based on SMS or in other ways tied to mobile phone numbers is a seriously bad idea. Phone number assignment processes were never designed for this.

254

679

Mudge

@dotMudge

Jul 16, 2020

I say this having the utmost respect for

@frank_rieger

. He is one of the people I admire most. His comment is not wrong, but it lacks significant context. Passwords + SMS auth is far better than just passwords. If it is an option, you should use U2F which is *much* better!

Mudge

@dotMudge

Jul 16, 2020

I share Frank’s frustration. Weaknesses in SMS auth were foreseeable. SMS was not intended/designed for this. SS7/SIP-T attacks will become increasingly auto stable and feasible. However for the foreseeable future SMS Auth adds real cost to an attacker over passwords alone.

Mudge

@dotMudge

Jul 16, 2020

Use U2F instead if at all possible.

Daniel Micay

@DanielMicay

Replying to

@dotMudge

Giving your phone number to a service often allows for account recovery via SMS. Adding SMS 2FA to an account can often unintentionally enable SMS-based account recovery. It's sometimes implemented strictly as a 2nd factor but also used for other purposes too.

3:11 PM · Jul 16, 2020Twitter Web App

Replying to

and

Sites implementing only SMS-based 2FA (way harder to implement than U2F/FIDO2 with TOTP as another option for people without keys) are those that tend to use it for account recovery... they have people add a phone number, not strictly a phone number for 2FA authentication.

Replying to

and

A good way to test this is to try recovering your own accounts as if you've forgotten your password. If you've given them a phone number for any reason, it's generally possibly to recover the account via SMS meaning someone hijacking your phone number can steal your account.

Replying to

and

Indeed. Unless you're 100% sure they won't also use the number for account recovery, SMS "2FA" (i.e. SMS 1FA) is strictly worse than password 1FA for some very reasonable and common threat models.

Replying to

and

The main thing that landing.google.com/advancedprotec provides is protection against hijacking your account via account recovery. It puts restriction on their support staff in addition to the technical restrictions. I wish I could enable this on more than just my Google account.

landing.google.com

Google Advanced Protection Program

The strongest account security made to protect the personal data and information of people most at risk of phishing, hacking and targeted digital attacks.

Show replies