(no title)
vigilans | 2 years ago
Every part of the industry that matters has been bitten by using phone numbers as a 2FA mechanism. It's why they're actually disappearing and are being phased out in favor of apps, OTP tokens, and email codes, depending on the amount of influence technical people wield at a given org.
Dalewyn|2 years ago
And all of them are some form of jank or inconvenience.
Look, most people (myself included) don't give a fucking fuck about security. Our time lost to the kabuki theater of security is worth more than the so-called "security" we gain, and that's assuming whatever is being secured is even worth securing.
A determined attacker will ignore all that and just undermine everything with social engineering against a useful customer support tech anyway.
Unless your solution is as simple as entering a password and hitting a button, which is the digital equivalent to taking out a key and unlocking your front door, it is not going to see widespread acceptance. Make your fucking security solutions convenient, not secure. kthxbai.
Even cars did away with keys because turning the ignition is an inconvenience compared to just pushing a button.
tialaramex|2 years ago
What password?
I mentioned the NHS app I use in a different sub-thread, so let's try my (not very good, would not recommend but they offered decent credit balance interest) current account. I tap the app on my phone, I get a whirl of nonsense, and then:
"Verify that it's you" and I touch the fingerprint sensor on my Pixel 6.
And that's it. No passwords, no PINs, no SMS messages, no separate authenticator device
This is much more secure than real human passwords (it'll be an elliptic curve signed message, so similar to HTTPS) and much more convenient, and short of convincing me to literally send you my phone and my finger you can't trick me into giving you access.