All you 2FA hard token zealots out there saying SMS is worthless because a nation state can pwn it - if a nation state wants your SMS token, they'll get it. They'll beat you up and steal it if you're that important. Stop discouraging orgs from implementing "good enough" security
-
-
You’re gonna need to sell me on that one. Not everyone has a threat model where they are getting SIMs cloned or numbers ported, everyone does have a threat model where passwords get stolen or reused. I can’t see how SMS 2FA does not provide some additional protection.
-
"Random person decides they want to destroy your life" should be part of everyone's threat model, especially if you're not male, straight, cis, conventionally male-presenting, and white.
-
I don’t necessarily disagree with that statement, but using what you just said wouldn’t those groups not be safer with a password and SMS 2FA than just a password? Hardware Token>Soft Token>SMS 2FA>password, correct?
-
No, because almost everyone lets you reset password with SMS if you provide it. That's why I call it SMS 1FA.
-
And it's not only "those groups". Boring white dudes are also subject to random angry people, angry exes, etc.
End of conversation
New conversation -
-
-
What makes most SMS 2FA become SMS 1FA? The ability to reset passwords through SMS only?
-
Let’s not conflate poor password reset processes and SMS 2FA. Those are two different issues. I’m only taking about 1FA password vs 2FA SMS and Password. The reset is a different debate.
-
I'm conflating them because a huge portion of services that offer "SMS 2FA" let you use SMS as a password reset vector if you provided a number. Thus making it "SMS 1FA".
-
See other reply, you were debating holistic approach and not specific technology. I can agree with that. Cheers.
End of conversation
New conversation -
-
-
Really the only thing I take issue with in your statement is “It's much much worse than password-only 1FA.” I can’t see any scenario where SMS 2FA plus password is actually worse than password only 1FA.
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.