Also, before a SIM swap occurs, the attacker would need to know the phone #...I’m not saying it’s impossible but most cell phone #’s are not published.
-
-
What attack do you claim SMS 2FA prevents?
1 reply 0 retweets 0 likes -
Non-state sponsored or targeted credential theft
2 replies 0 retweets 0 likes -
Replying to @RadiateSystems @taviso and
An attacker generally wouldn’t 1.) know the cell phone # of a user and 2.) couldn’t easily SIM swap biz accounts
1 reply 0 retweets 0 likes -
That is a different discussion, about the weak transport security of SMS. I mean literally, even if SMS was secure, what does SMS 2FA buy you? I'm being serious, I don't think it solves any problem.
1 reply 0 retweets 0 likes -
Here is what it solves: a lot of phishing attacks originate from Nigeria. Even 2FA w/SMS will prevent most phishing/credential theft account takeover. We InfoSec people know too much and that’s why we always default to worst case scenarios
1 reply 0 retweets 1 like -
What do you mean by "solve", you mean attackers will have to make minor changes to their code? I do not agree causing attackers minor temporary inconvenience qualifies as solving the problem.
1 reply 0 retweets 0 likes -
Replying to @taviso @RadiateSystems and
This isn't a "perfect is the enemy of the good" scenario, which is what I think you were trying to argue. For that to be the case, there would have to be some good - and I claim there is none, maybe even a little harm (false sense of security, used as ineffective stopgap, etc).
2 replies 0 retweets 0 likes -
One more thought/question: take GMail for example. Even with Google Authenticator, SMS is a backup option. If non-U2F is security theater, any ideas what’s the logic behind the offering?
1 reply 0 retweets 0 likes -
Replying to @RadiateSystems @taviso and
*If non-U2F MFA options are security theater
1 reply 0 retweets 0 likes
I don't know what the logic is, but if it was up to me it wouldn't exist. 
-
-
Now we just need to convince banks, Google (GMail), Microsoft, and all other vendors
. Arghhh, I just want to believe 2FA is not dead!0 replies 0 retweets 1 likeThanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.