Read on Twitter
I claim there is some value in SMS 2FA. It is not appropriate for high value targets.
There are better choices.
Here are links to Google research studies showing SMS 2FA prevents large numbers of account takeover.
Refuting? Cite your sources.
https://security.googleblog.com/2019/05/new-research-how-effective-is-basic.html https://twitter.com/dotmudge/status/1283776098862604289
There are better choices.
Here are links to Google research studies showing SMS 2FA prevents large numbers of account takeover.
Refuting? Cite your sources.
https://security.googleblog.com/2019/05/new-research-how-effective-is-basic.html https://twitter.com/dotmudge/status/1283776098862604289
I don’t say “cite your sources” to be antagonistic.
I honestly want new data at similar scales.
*Especially* if it contradicts my beliefs.
That way I can consume it and update my understandings.
I honestly want new data at similar scales.
*Especially* if it contradicts my beliefs.
That way I can consume it and update my understandings.
In fact, there are cases where you may want to *disable* SMS 2fa.
Consider your reset email account: If you can afford it (HW keys aren’t free) turn off SMS 2FA and use unique password + U2F.
That way a reset link, for a SIM swapped account attack, is inaccessible to attacker.
Consider your reset email account: If you can afford it (HW keys aren’t free) turn off SMS 2FA and use unique password + U2F.
That way a reset link, for a SIM swapped account attack, is inaccessible to attacker.
