But back to original question. Would you invest on developing SMS-2FA and do you feel that it might give the user false sense of security?
-
-
Agreed. My bet is that in the interim I can protect more users using SMS. Then transitioning them to push (ala Google approach) and U2f when we can.
-
IMHO the issue with SMS 2FA isn't with the GSM attacks by https://de.m.wikipedia.org/wiki/Karsten_Nohl … but with rogue apps intercepting SMSes on smart phones. But either way, NIST 800-63B has deprecated SMS for 2FA, so it's basically dead. Or at least walking dead ;)
- 25 more replies
New conversation -
-
-
To make the extra step economically justifiable, the population of easily exploited targets would have to shrink until a supply problem justifies investment in more expensive targets. I suspect that'll be a while though commoditizing longer paths will expedite it.
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.
I think the bare minimum requirement for "raising the bar" is a new capability the attacker hasn't already demonstrated.
(I worry my replies come off as disagreement rather than nuanced agreement)