Don't have big, systematic data on this but I constantly hear all over the world from people without any 2FA whose accounts get taken over via password reuse and much rarer live phishing of SMS 2FA. I do push people to U2F but, ceteris paribus, SMS 2FA seems way better than none.
-
-
To give you an example, the LOUSY Google help pages for security keys have been a giant hurdle for me for years in getting people to use security keys. (I've been begging everyone I know in Google for years to no avail).
-
I ran into so many problems with the fact that Google wouldn't bother to have a decent help page for a fantastic product, we now use an independently produced page in security key training. Huge improvement in uptake simply by putting in screenshots. https://techsolidarity.org/resources/security_key_gmail.htm …
- Show replies
New conversation -
-
-
I'm confused, how did they get their existing script? Editing it themselves works too. You agree that SMS-2FA does not require any capability that the attacker has not already demonstrated, or you're saying adding or buying some code is a new capability that attacker won't have?
-
I'm referring not to phishing but to password reuse/easy password which is what SMS 2FA helps block. That might be the only point where we disagree. In my world, password reuse/easy-to-guess password are huge vulnerabilites even among highly-motivated at-risk users.
- Show replies
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.