Conversation

Mudge
@dotMudge
Reminder: SMS 2FA is still meaningful. Large scale account take over study (3.3Billion accounts): SMS Auth was effective against: 100% Automated password stuffing 96% Bulk phishing 76% Targeted attacks U2F is *even* better! Use it! Mudge & Niels: youtu.be/SOQgABDSYZE?t=
Quote Tweet
Frank Rieger
@frank_rieger
Even if the current Twitter authentication problems turn out to be something different, its a good time to re-iterate: 2FA that is based on SMS or in other ways tied to mobile phone numbers is a seriously bad idea. Phone number assignment processes were never designed for this.
23
679
Mudge
@dotMudge
I say this having the utmost respect for
@frank_rieger
. He is one of the people I admire most. His comment is not wrong, but it lacks significant context. Passwords + SMS auth is far better than just passwords. If it is an option, you should use U2F which is *much* better!
5
58
Mudge
@dotMudge
I share Frank’s frustration. Weaknesses in SMS auth were foreseeable. SMS was not intended/designed for this. SS7/SIP-T attacks will become increasingly auto stable and feasible. However for the foreseeable future SMS Auth adds real cost to an attacker over passwords alone.
3
60
Daniel Micay
@DanielMicay
Replying to
@dotMudge
Giving your phone number to a service often allows for account recovery via SMS. Adding SMS 2FA to an account can often unintentionally enable SMS-based account recovery. It's sometimes implemented strictly as a 2nd factor but also used for other purposes too.
2
3
Daniel Micay
@DanielMicay
Replying to
@RichFelker
and
@dotMudge
I have a SIM lock on my SIM card as a basic protection. It would be far better if nothing trusted control over phone numbers but that's not the world we live in so I have that set up. It's a bit annoying to have a PIN to enter on boot in addition to my passphrase but worth it.
1
2