The primary scenario that SMS 2FA prevents is account takeover via password reuse, not live phishing. Our data shows that the former is many many times more prevalent.
I guess I'm not sure I understand where we disagree, we both agree that attackers can improve, and both agree they haven't yet while adoption is so low. Is it that you argue that even when forced to adapt because of high adoption of SMS-2FA, they'll just pack up and go home?
-
-
Yes. In my experience, there is a non-negligible group of opportunistic attackers that can do password reuse/kid’s name password but will not/cannot escalate. This doesn’t apply to any high-value target or to systematic phishers (who have economic concerns).
-
If we disagree, it’s that I don’t this SMS 2FA is basically worthless. If you’re a vendor, I’d be begging you not to do it that way, and to adopt U2F and/or auth app. Still, for many users, those are surprisingly hard steps.
- 11 more replies
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.