Yes. In my experience, there is a non-negligible group of opportunistic attackers that can do password reuse/kid’s name password but will not/cannot escalate. This doesn’t apply to any high-value target or to systematic phishers (who have economic concerns).
-
-
If we disagree, it’s that I don’t this SMS 2FA is basically worthless. If you’re a vendor, I’d be begging you not to do it that way, and to adopt U2F and/or auth app. Still, for many users, those are surprisingly hard steps.
1 reply 1 retweet 2 likes -
Replying to @zeynep @alexstamos and
I get that, but my point was you can achieve the same result that we both like (lower opportunistic phishing) with my silly banana scheme. Is my banana scheme basically worthless? If yes, then why is it worse than SMS-2FA?
1 reply 0 retweets 0 likes -
Replying to @taviso @alexstamos and
"Banana" is fixed word? Once again, anything that involves typing something, not a huge barrier to opportunistic attacks. Mutter the words "php script", and a surprisingly non-negligent number of them seem to scatter.
1 reply 0 retweets 1 like -
Replying to @zeynep @alexstamos and
Yes, fixed word, must be typed into a form field. Your php script will have to be changed to support it. So you're saying that my banana scheme isn't worthless, and has value?
1 reply 0 retweets 0 likes -
Replying to @taviso @alexstamos and
This may seem really weird, but even that might have a non-zero impact. Though the distance between (1) regular phishing and (2) editing php script is probably much closer than the difference between (3) guessing easy password and (4) escalating to phishing a hard password.
2 replies 0 retweets 1 like -
Replying to @zeynep @alexstamos and
I think we agree if you would say BFA and SMS 2FA have similar value, we just disagree on how valuable that is.
1 reply 0 retweets 0 likes -
Replying to @taviso @alexstamos and
They don't deal with the same attacker group, though.
2 replies 0 retweets 0 likes -
Also, whomever can get Google to fix this worse-than-useless help page should get all security awards. I've been trying for more than a year. This useless page is a bigger hurdle to U2F adoption than anything else I've encountered. https://support.google.com/accounts/answer/6103523?hl=en&ref_topic=6103521 …
2 replies 0 retweets 1 like -
Hey
@zeynep, why don’t you just point interested folks at http://g.co/advancedprotection …, if the ultimate goal is to have only U2F enabled on the user’s account?1 reply 0 retweets 1 like
I’m pretty familiar with it. I do sometimes point it out to appropriate people. It’s great that it exists! The account recovery trade-off means that it’s not the best fit for everyone. (Also needs better documentation to guide people on the trade-offs).
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.