Everyone wants there to be simple answers in security, but sometimes there are no simple answers.
-
-
Does the adversary set matter here? If you as a small company who models their adversaries as mostly using phishing to grab creds to Corp saas systems, they probably aren’t going to invest to be able to bypass SMS-2FA?
-
Yes, I agree that a rational attacker will calculate the cost of updating his PHP vs the expected increase in victim yield and *could* find it's not worth it. That's also true of making users type "banana" into a form field, which adds about as much security IMO

- 1 more reply
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.