WingNews logo WingNews
top | item 43817719

(no title)

Boldened15 | 10 months ago

Don’t 2FA apps have the major downside that if you lose the specific mobile device you installed it on you’re SOL, unless you have backup codes that are too technical for most. SMS gets you more human support since you pay your carrier, I can walk into my nearest teleco branch with my ID if I lose my phone and change the SIM to another phone. So most of the time unless your SIM is hijacked it’s a good proxy for being actually you.

Plus having to download another app adds friction to the signup process and most users aren’t going to bother, so for most it’s SMS 2FA or nothing. Since apps often want your phone number anyway for bot prevention, and users are used to verification codes, it’s not a big deal.

Also a tail end of other issues with 2FA apps (and SMS 2FA predates the nice ones anyway); in other countries there are devices other than iOS/Android to suggest an authenticator app for, limited network speeds and device storage, etc. Heck, I know people in the U.S. with full device storage who can’t download new apps without deleting some stuff. If you’re a random app and not a tech company SMS 2FA is just going to be much easier to implement.

discuss

order

jeroenhd|10 months ago

The whole point of 2FA is that once you lose possession of your physical second factor, you lose access. If you can maintain access after losing the hardware, you've just added a second password. SIM swapping attacks have proven very effective at showing how easy it is for someone to bypass SMS 2FA. It's better than no 2FA, but it's the worst second factor out there.

If you don't want to lose access after losing your second factor, you don't want two factor authentication. Trying to make 2FA something it's not only muddies the waters and makes things annoyingly confusing.

I don't think "I know someone whose phone can't handle a 2MiB TOTP app" is a good reason not to offer real 2FA on a website. Sure, offer SMS codes for people who don't care much about security beyond ticking auditor boxes.

razakel|10 months ago

>I can walk into my nearest teleco branch with my ID if I lose my phone and change the SIM to another phone.

And I can do the same pretending to be you, or simply bribe the minimum-wage cashier who doesn't really care.

Do they even have a flag for highly sensitive accounts, e.g. set off an alarm if someone tries to issue a new SIM for the President?