If we disagree, it’s that I don’t this SMS 2FA is basically worthless. If you’re a vendor, I’d be begging you not to do it that way, and to adopt U2F and/or auth app. Still, for many users, those are surprisingly hard steps.
-
-
Replying to @zeynep @alexstamos and
I get that, but my point was you can achieve the same result that we both like (lower opportunistic phishing) with my silly banana scheme. Is my banana scheme basically worthless? If yes, then why is it worse than SMS-2FA?
1 reply 0 retweets 0 likes -
Replying to @taviso @alexstamos and
"Banana" is fixed word? Once again, anything that involves typing something, not a huge barrier to opportunistic attacks. Mutter the words "php script", and a surprisingly non-negligent number of them seem to scatter.
1 reply 0 retweets 1 like -
Replying to @zeynep @alexstamos and
Yes, fixed word, must be typed into a form field. Your php script will have to be changed to support it. So you're saying that my banana scheme isn't worthless, and has value?
1 reply 0 retweets 0 likes -
Replying to @taviso @alexstamos and
This may seem really weird, but even that might have a non-zero impact. Though the distance between (1) regular phishing and (2) editing php script is probably much closer than the difference between (3) guessing easy password and (4) escalating to phishing a hard password.
2 replies 0 retweets 1 like -
Replying to @zeynep @alexstamos and
I think we agree if you would say BFA and SMS 2FA have similar value, we just disagree on how valuable that is.
1 reply 0 retweets 0 likes -
Replying to @taviso @alexstamos and
They don't deal with the same attacker group, though.
2 replies 0 retweets 0 likes -
Replying to @zeynep @alexstamos and
They do, the problem of password reuse and online password cracking is different, and no form of 2FA is particularly useful. The solution there is strong unique passwords.
1 reply 0 retweets 0 likes -
Replying to @taviso @alexstamos and
Password reuse + SMS 2FA > password reuse. How big? I can’t know for sure but given my experience, my hunch is that it’s much larger than one might guess because humans have threshold behaviors. They stay in certain lanes, drastically avoid others.
1 reply 0 retweets 0 likes -
You can teach the binomial theorem to a 10 year old, just don’t tell them it’s math. Tell people it’s probability theory, they cannot understand. Don’t, easy peasy. So phishing isn’t a default among the politically motivated opportunistic attackers, in my experience. \_(ツ)_/¯
2 replies 0 retweets 3 likes
(I have hundreds of security keys in my office; I give them out like candy, btw. 
)
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.