Adding SMS-based two-factor authentication to your systems?

Do us all a major favour: put the phone numbers for that purpose in a brand-new field in your data structure. Why? 🧵
If you put data which can only be used for restricted purposes in a new field, then no code already uses it. You don't have to check every piece of code and every script your folks have ever written.

Because everyone checks in every single script they write, right?
Bonus points if you can restrict what code can access that new field to, say, only the authentication system. If you don't, that means you're relying on all your engineers not to accidentally shoot everyone vigorously in the foot. I prefer to have fewer things to worry about. 🤷
Bonus points for giving the new field a name which is hard to mistake when someone inevitably copies code, like "phone_number_for_2FA_only". I ... might have made flags for the Google RPC system named things like "--securityTeamToldMeThisWasABadIdeaButIDidItAnyway"
Never underestimate the power of making sure that people writing code understand *exactly* what it's doing, both by writing better-shaped and better-described APIs. The number of crypto fails because most crypto APIs require you to be a freaking cryptographer boggle the mind.
I mean, if you're choosing to using a phone number or whatever other data given to you for one purpose for another, these design suggestions won't help you up front, but they almost certainly will down the line when you have to reverse that decision, so you might as well.
Obligatory side: note about SMS 2FA: please look at things which aren't SMS. SMS is way better than nothing, but:
1. the phone system isn't the most secure thing ever.
2. attackers will go phishing for SMS codes.

Users getting owned is bad for everyone. https://security.googleblog.com/2019/05/new-research-how-effective-is-basic.html
New research: How effective is basic account hygiene at preventing hijacking

Posted by Kurt Thomas and Angelika Moscicki Every day, we protect users from hundreds of thousands of account hijacking attempts. Most at...

https://security.googleblog.com/2019/05/new-research-how-effective-is-basic.html
Your 2FA is only as secure as your account recovery.

SMS does have an advantage there: because you can (largely) rely on the user to have or recover their phone number and bootstrap from there. If they've smashed their security key or their phone, not as easy of an operation.
You can follow @LeaKissner.
Tip: mention @twtextapp on a Twitter thread with the keyword “unroll” to get a link to it.

Latest Threads Unrolled:
There are a lot of misconceptions about the Turkish diaspora in Germany. Since i just finished writing an essay about this topic I thought it's time to give other people
Read more
Las mejores calculadoras online en 2020A thread http://totumat.com/2020/11/26/las-mejores-calculadoras-online-en-2020/ Cuando se estudian asignaturas que requieren de cálculos complicados, nada mejor que contar con una buena calculadora.
Read more
Mitigating #ClimateChange is as much about taking up new techs as about leaving others behindMost studies focus on #coal's global downfall but another #energy tech decline is loomingRead my new
Read more