top | item 21786244

(no title)

mooted1 | 6 years ago

Security isn't black and white. SMS doesn't neutralize the value of 2FA since the effort required to compromise it are still considerable, such that the highest risk methods outlined by NIST require physical proximity to the phone.

While SMS is inappropriate for high value targets such as employees with infrastructure access or people with government security clearances, it remains an excellent option for general consumer security.

By contrast, the vast majority of people who use login.gov likely don't understand nor will they ever install an authenticator app. It makes sense to deprecate support for this vector if, presumably, few people are using it.

discuss

No comments yet.