Conversation

Reminder: SMS 2FA is still meaningful. Large scale account take over study (3.3Billion accounts): SMS Auth was effective against: 100% Automated password stuffing 96% Bulk phishing 76% Targeted attacks U2F is *even* better! Use it! Mudge & Niels: youtu.be/SOQgABDSYZE?t=

Quote Tweet

Frank Rieger

@frank_rieger

Jul 15, 2020

Even if the current Twitter authentication problems turn out to be something different, its a good time to re-iterate: 2FA that is based on SMS or in other ways tied to mobile phone numbers is a seriously bad idea. Phone number assignment processes were never designed for this.

254

679

Mudge

@dotMudge

Jul 16, 2020

I say this having the utmost respect for

@frank_rieger

. He is one of the people I admire most. His comment is not wrong, but it lacks significant context. Passwords + SMS auth is far better than just passwords. If it is an option, you should use U2F which is *much* better!

Mudge

@dotMudge

Jul 16, 2020

I share Frank’s frustration. Weaknesses in SMS auth were foreseeable. SMS was not intended/designed for this. SS7/SIP-T attacks will become increasingly auto stable and feasible. However for the foreseeable future SMS Auth adds real cost to an attacker over passwords alone.

Mudge

@dotMudge

Jul 16, 2020

Use U2F instead if at all possible.

Replying to

Giving your phone number to a service often allows for account recovery via SMS. Adding SMS 2FA to an account can often unintentionally enable SMS-based account recovery. It's sometimes implemented strictly as a 2nd factor but also used for other purposes too.

Replying to

and

Indeed. Unless you're 100% sure they won't also use the number for account recovery, SMS "2FA" (i.e. SMS 1FA) is strictly worse than password 1FA for some very reasonable and common threat models.

Replying to

and

The main thing that landing.google.com/advancedprotec provides is protection against hijacking your account via account recovery. It puts restriction on their support staff in addition to the technical restrictions. I wish I could enable this on more than just my Google account.

landing.google.com

Google Advanced Protection Program

The strongest account security made to protect the personal data and information of people most at risk of phishing, hacking and targeted digital attacks.

Replying to

and

It's also rare for sites to offer accounts that cannot be hijacked via recovery through email addresses. Email security can be done right, but usually isn't. How many sites with email recovery enforce DANE and/or MTA-STS? Anyone who can MITM those connections can hijack accounts.

Replying to

and

I personally experienced the Twitter account for my open source project being hijacked by my former business partner through social engineering Twitter support. It used my email address, phone number and had only U2F and TOTP enabled as 2FA methods. They bypassed all of this.

3:22 PM · Jul 16, 2020Twitter Web App

Retweet