All you 2FA hard token zealots out there saying SMS is worthless because a nation state can pwn it - if a nation state wants your SMS token, they'll get it. They'll beat you up and steal it if you're that important. Stop discouraging orgs from implementing "good enough" security
-
-
Replying to @MalwareJake
My wife
@ktgrok taught me this “Don’t let perfect be the enemy of good.” It’s a guiding principal in every security decision I make.2 replies 1 retweet 29 likes -
"2FA" that's really SMS 1FA, which almost all "SMS 2FA" really is, is not "perfect being enemy of good". It's much much worse than password-only 1FA.
3 replies 0 retweets 2 likes -
You’re gonna need to sell me on that one. Not everyone has a threat model where they are getting SIMs cloned or numbers ported, everyone does have a threat model where passwords get stolen or reused. I can’t see how SMS 2FA does not provide some additional protection.
1 reply 0 retweets 2 likes -
"Random person decides they want to destroy your life" should be part of everyone's threat model, especially if you're not male, straight, cis, conventionally male-presenting, and white.
2 replies 0 retweets 1 like -
I don’t necessarily disagree with that statement, but using what you just said wouldn’t those groups not be safer with a password and SMS 2FA than just a password? Hardware Token>Soft Token>SMS 2FA>password, correct?
1 reply 0 retweets 0 likes -
No, because almost everyone lets you reset password with SMS if you provide it. That's why I call it SMS 1FA.
2 replies 0 retweets 3 likes -
I can agree with that. That is a terrible process. I am dividing Auth from reset. Your reset should not use the same mechanisms if possible. However, if you have a solid reset process outside of SMS I feel SMS 2FA + pass is stronger than 1FA. I agree with your point about reset
1 reply 0 retweets 1 like
Yes. I just think it's a mistake to be teaching and pushing users who don't understand the subtleties to be using "SMA 2FA" until this reset channel nonsense is abolished almost everywhere.
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.