Conversation

SMS-2FA is harmful and literally doesn't work. There is no reason to ever enable it.

Quote Tweet

Mar 15, 2021

Another day, another chance to remind everyone that text-message passwords are not multi-factor authentication, it's two-step verification using only 1 factor. "SMS 2FA" is an oxymoron & harmful for MFA efforts. CCing my fave opinionites @riskybusiness @Metlstorm @taviso twitter.com/josephfcox/sta…

148

344

This Tweet was deleted by the Tweet author. Learn more

Tavis Ormandy

@taviso

Mar 15, 2021

No, it doesn't mitigate those attacks. That's the problem, if it did then that would be great. "Don't let the perfect be the enemy of the good" only applies when something is good enough, but not perfect. The problem is that SMS-2FA is *not* good enough.

Replying to

What makes you say it doesn't mitigate those attacks? To me, it seems like it depends on context: if I have to spend $16 to compromise an account, and a large number of accounts are worthless, that will be a substantial average spend per valuable account, as an attacker

Replying to

and

(Assuming an un-targeted attack, agree that SMS 2FA gets you very little if an attacker wants to compromise a particular user)

Replying to

and

Most sites allow it to become to SMS 1FA by making it usable as an account recovery mechanism. It's worse than useless. It's rarely clear if giving them your phone number is going to make this happen. I wish more sites had an equivalent to Google's Advanced Protection Program.

2:50 AM · Mar 16, 2021Twitter Web App

Likes