Comment on Millions of people imperiled through sign-in links sent by SMS
artyom@piefed.social 4 days ago
This is a crazy problem. Even Apple requires you to use SMS 2FA, and does not let you opt out or use any alternatives.
My employer uses this as well and I was locked out (couldn’t do any work) for an entire day because their SMS messages were not being delivered.
irotsoma@piefed.blahaj.zone 3 days ago
2FA isn’t the issue. The issue is single factor logins with only text messages, no password and often no username. Those messages allow anyone who intercepts them to login, no username or password is involved at all.
2FA via SMS is a perfectly fine solution, though there are more secure options like yubikeys or TOTP generation apps.
artyom@piefed.social 3 days ago
Completely disagree
irotsoma@piefed.blahaj.zone 2 days ago
How so?
It’s a second factor. It’s “something you know”, “something you have”, and/or “something you are”. The username and password is the “something you know” and the sms message is “something you have” (I.e. the phone). There’s no need for the second factor to be secret as long as it is single use and time sensitive and is only used as a second factor, not the only factor.
This article was about single factor messages that are the entirety of the login flow, so not about 2FA, but I’m still interested in the concerns for second factor. It is still adding security over a password alone which is the only goal in the 2FA subject.
artyom@piefed.social 2 days ago
All of the same reasons for single factor also apply to MFA.
It’s also dependent on other services, is a privacy violation, and a giant fucking pain in the ass if you ever want to change your phone number, or like me, you have service issues.
There are many other alternate, more secure, more convenient, more resilient options.
sem@piefed.blahaj.zone 2 days ago
I messaged my bank and they were unable to opt me out of it….
artyom@piefed.social 2 days ago
Same. Most of them don’t allow it.