George I agree with you. Generally speaking, 2FA w/SMS is still better than no 2FA. Not sure why it’s even an issue?
-
-
Replying to @RadiateSystems @tqbf and
Also, before a SIM swap occurs, the attacker would need to know the phone #...I’m not saying it’s impossible but most cell phone #’s are not published.
1 reply 0 retweets 1 like -
What attack do you claim SMS 2FA prevents?
1 reply 0 retweets 0 likes -
Non-state sponsored or targeted credential theft
2 replies 0 retweets 0 likes -
Replying to @RadiateSystems @taviso and
An attacker generally wouldn’t 1.) know the cell phone # of a user and 2.) couldn’t easily SIM swap biz accounts
1 reply 0 retweets 0 likes -
That is a different discussion, about the weak transport security of SMS. I mean literally, even if SMS was secure, what does SMS 2FA buy you? I'm being serious, I don't think it solves any problem.
1 reply 0 retweets 0 likes -
Here is what it solves: a lot of phishing attacks originate from Nigeria. Even 2FA w/SMS will prevent most phishing/credential theft account takeover. We InfoSec people know too much and that’s why we always default to worst case scenarios
1 reply 0 retweets 1 like -
What do you mean by "solve", you mean attackers will have to make minor changes to their code? I do not agree causing attackers minor temporary inconvenience qualifies as solving the problem.
1 reply 0 retweets 0 likes -
Replying to @taviso @RadiateSystems and
This isn't a "perfect is the enemy of the good" scenario, which is what I think you were trying to argue. For that to be the case, there would have to be some good - and I claim there is none, maybe even a little harm (false sense of security, used as ineffective stopgap, etc).
2 replies 0 retweets 0 likes -
My thinking is that non-U2F is still valuable for less “phish prone” users...would u agree? In other words, if u combing 2FA w/security Awareness Training, perhaps the sky is not falling?
1 reply 0 retweets 0 likes
I think security training would be useful with or without 2FA. If someone is vulnerable to phishing, 2FA doesn't change that. If they're not, then 2FA is (at best) not very useful. IMHO, 2FA is slowing down U2F adoption, because people (incorrectly) think it's "good enough".
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.