SMS 2FA binds to your phone number, not you or your phone. Nobody is going to intercept SS7; they’re going to call a phone company and port your number to their phone.
-
-
This Tweet is unavailable.
-
This Tweet is unavailable.
-
This Tweet is unavailable.
-
Replying to @petersongeorged @tqbf
It doesn't work. The problem we have is that passwords can be phished, the solution to that is not to add a second phishable password called a "token". Is it better than nothing? Eh, in the unlikely event that you're a password re-user but not vulnerable to phishing, I guess?
2 replies 0 retweets 4 likes -
This Tweet is unavailable.
-
Tough call, I think SMS 2FA might be worse than nothing. I don't know what authy is, but unless it's U2F it probably has similar properties.
2 replies 0 retweets 0 likes -
This Tweet is unavailable.
-
Did you read the announcement? The user thought SMS 2FA was secure, and it got them compromised. They were misled, no?
2 replies 0 retweets 0 likes -
This Tweet is unavailable.
No, different argument. In order to open a locked door an attacker needs to demonstrate a new capability: ability to pick locks. In order to defeat 2FA an attacker needs a capability they've already proven they have, ability to phish credentials.
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.