> Unfortunately, it doesn’t work like that. When a service enables SMS-2FA, an attacker can simply move to a different service.<p>That argument is just nonsensical. If you're a provider, the user being compromised on some other service doesn't really matter (and there's nothing you can do to prevent it anyway). While preventing the compromise protects the platform from abuse, saves on customer support on having to help the hijacked user recover, etc. While if you're a user, obviously it's better to be hijacked on as few (and as unimportant) services as possible.<p>> Instead, why not simply randomly generate a good password for them, and instruct them to write it down or save it in their web browser?<p>The users don't know how to save a password in the web browser. They'll lose the piece of paper. They'll be unable to log in, and effectively end up in an eternal loop of recovering their account (with SMS!) every time they log in, and getting a new password they can't remember. If you end up sending the user an SMS anyway on every log in, might as well use the version where you get to use knowledge of the password as a gating factor.<p>> If we spend all that good will on irritating attackers, then by the time we’re ready to actually implement a solution, developers are not going to be interested.<p>I'm really not sure what this is referring to. Other than this comment, I thought Tavis was railing against forcing users to do SMS 2FA. But then it turned out that the resource he is concerned about is developer goodwill, which doesn't really make sense.<p>There are a few classes of developers.<p>1. Huge companies with security teams that are willing to entirely implement their own authentication systems. Their goodwill is not going to be exhausted, since they're implementing what those teams think is the best for their platform's security.<p>2. Companies with potentially sensitive data who outsource some or all of the authentication to some kind of identity provider or identity platform. Their goodwill won't be exhausted: they'll just expect the provider to implement whatever the best practice is at any time.<p>3. Companies that don't care, and just roll their own username + password auth. They aren't going to implement SMS 2FA any more than they would implement U2F.
I believe the arguments that SMS-2FA is not effective against phishing. (Or, at the least, I can't provide a compelling counter-argument.) But I had always thought of SMS-2FA against a more banal problem:<p>1. You have a unique, long password with Foo.<p>2. Oh no! They store your password in plaintext, and their security is terrible, so your username and password are part of a giant data breach from Foo.<p>3. Before you know about it and can change your password, someone that is not you, who does not have access to your phone, tries to log into the account.<p>4. While out living your life (or <i>in</i>, these days), you receive an SMS from Foo, and then ignore it.<p>5. There is no step 5, as no one else is getting in.<p>6. Okay, fine, you caught on, and now you log in and change your password with Foo, or maybe just drop the account, because <i>really</i>.<p>It seems to me that SMS-2FA helps in this scenario. Am I missing something obvious?
He's arguing not just against SMS-2FA, but against 2FA itself, and his simple solution is to "just use a strong password".<p>The author completely misses the point about the value of 2FA itself. I agree SMS-2FA is not good, but that doesn't mean 2FA is worthless.
Yes, it's true that SMS-based authentication has its flaws, but it's far from useless/harmful in many contexts. The same strawman arguments used here would also find TOTP "wholly ineffective" which is an absurd conclusion.<p>A main goal of security engineering is to increase the difficulty level for attackers. SMS authentication has demonstrated its ability to do this in a highly accessible, albeit imperfect, manner. I feel that the author severely underestimates the practical difficulties of widely deploying "Unique Passwords and U2F".<p>I strongly disagree with the conclusion that "SMS-2FA is not only worthless, but harmful" and highly recommend consulting a security professional before entertaining any of the arguments or following any of the suggestions in this article. I don't like leaving negative comments, but this is at best borderline misinformation that has the potential to create severe consequences.<p>Some more context, if you want to consider a more balanced perspective:
<a href="https://doublepulsar.com/infosecs-fantastic-fear-of-everything-why-the-reddit-incident-shouldn-t-cause-infosec-to-throw-4bb3b7ea634f" rel="nofollow">https://doublepulsar.com/infosecs-fantastic-fear-of-everythi...</a>
SMS 2-factor is wrong and bad and NIST has been yelling about this since 2016 or before. Simjacking is real and fairly commonly used in targeted attacks.<p>2-factor as an idea is great, and this author seems very confused.
After multiple experiences where I couldn't log into an account due to not having a phone signal, I refuse to use SMS-2FA on any service. Given that I already use strong passwords, the marginal security advantages are far outweighed by the potential lack of availability.
SMS 2FA exposes a person's cell phone account to attack, and the carriers aren't hardened to handle it. Jack Dorsey getting hacked proves how stupid using SMS for anything. Please, implementing this. Use FIDO U2F or TOTP. It's not that hard, my 70 year old mother has it enabled and has no issues with it.
I've got the dual yubico key thing going. It seems to work fine. I don't need to pick overly complex passwords if I don't want to.<p>Google does this well. Yubico Security Key + they seem to monitor my logins / rate limits etc.<p>I deal as do many folks with relatively to extremely sensitive info (yes, also have stuff on auto-delete).<p>Complex passwords require a password manager - if those get updated and rooted then my yubico seems to save me again.<p>In fact, with yubico I have a few passwords I memorized that aren't TOO crazy long - with a 2FA hardware key you may be able to SIMPLIFY passwords and still have good security.<p>And the yubico is EASY! Clip it to your keychain and go.
The thing I find odd about sms 2fa is I sometimes get multiple services texting me through the same short code. Isn't that a security hole in itself? If a user recognizes a number as the "security number that texts me sometimes" and I as an attacker know this, couldn't I somehow abuse this?<p>For example: "Please go to x url and enter your password" -> user enters pw -> show new form with 2fa code input (and in the background, try logging into their account with the pw supplied) -> user gets another text from the same number, enters in your site -> profit???
I think this misses the point... do you need your own auth at all?<p>Security is only as strong as the weakest link. If you have a "forgot password" that emails you a login or a "lost/changed phone" that removes the sms, don't bother even having the password or sms.<p>Falling back to email means you've just pushed your auth behind the email's auth. Just use it directly by using oauth with google, o365, facebook or whatever makes sense for your target audience and be done with it. If you are b2b, use saml.
The prescriptions in "If you’re a security conscious user..." make sense to me. If you use a unique password, sms/totp adds very little benefit.<p>However the section for "If you’re a security conscious vendor..." doesn't make sense. Credential stuffing is so common, and sms/totp is a great tool against it. You could prevent users from setting their own passwords, but that seems a little "too different" from existing sites that it could harm usability.
Okay, the argument about credential stuffing is fairly weak. 2FA on a given service makes it an ineffective attack against that service. If you have 2FA on <i>all</i> of your services, credential stuffing won't work on any of them, so you're then immume. Moreover, not all services are identical - Email merits two distinct hardware keys, my Steam account warrants an emailed password, my BeerAdvocate account... probably doesn't need anything.