Conversation

Mudge
@dotMudge
Reminder: SMS 2FA is still meaningful. Large scale account take over study (3.3Billion accounts): SMS Auth was effective against: 100% Automated password stuffing 96% Bulk phishing 76% Targeted attacks U2F is *even* better! Use it! Mudge & Niels: youtu.be/SOQgABDSYZE?t=
Quote Tweet
Frank Rieger
@frank_rieger
Even if the current Twitter authentication problems turn out to be something different, its a good time to re-iterate: 2FA that is based on SMS or in other ways tied to mobile phone numbers is a seriously bad idea. Phone number assignment processes were never designed for this.
23
679
Mudge
@dotMudge
I say this having the utmost respect for
@frank_rieger
. He is one of the people I admire most. His comment is not wrong, but it lacks significant context. Passwords + SMS auth is far better than just passwords. If it is an option, you should use U2F which is *much* better!
5
58
Mudge
@dotMudge
I share Frank’s frustration. Weaknesses in SMS auth were foreseeable. SMS was not intended/designed for this. SS7/SIP-T attacks will become increasingly auto stable and feasible. However for the foreseeable future SMS Auth adds real cost to an attacker over passwords alone.
3
60
Daniel Micay
@DanielMicay
Replying to
@dotMudge
Giving your phone number to a service often allows for account recovery via SMS. Adding SMS 2FA to an account can often unintentionally enable SMS-based account recovery. It's sometimes implemented strictly as a 2nd factor but also used for other purposes too.
2
3
Daniel Micay
@DanielMicay
Replying to
@DanielMicay
and
@dotMudge
A good way to test this is to try recovering your own accounts as if you've forgotten your password. If you've given them a phone number for any reason, it's generally possibly to recover the account via SMS meaning someone hijacking your phone number can steal your account.