Comment

Comment on Millions of people imperiled through sign-in links sent by SMS

All of the same reasons for single factor also apply to MFA.

It’s also dependent on other services, is a privacy violation, and a giant fucking pain in the ass if you ever want to change your phone number, or like me, you have service issues.

There are many other alternate, more secure, more convenient, more resilient options.

source

Sort:hotnew top

irotsoma@piefed.blahaj.zone ⁨2⁩ ⁨days⁩ ago
Problem is finding something that is universal that is a “something you have” is difficult to find that almost everyone has. Almost everyone has a cell phone these days, so it’s a good option to use as that kind of factor. Email is a second “something you know” factor (I.e. via the password to your email account) and could be the same something if you use the same password. And getting someone to carry yet another device even if it’s simple like a Yubikey or something like that can be difficult. And unless biometric devices become universal on computers as well as phones, the “something you are” factor is hard to accomplish universally as well.

So, what options do you think are better that can be a “something you have” for use as a second factor to a password or other type of “something you know” factor?

source
- artyom@piefed.social ⁨2⁩ ⁨days⁩ ago
  TOTP or passkey are my preferred MFA options
  
  source
  - irotsoma@piefed.blahaj.zone ⁨2⁩ ⁨days⁩ ago
    SMS 2FA is TOTP, just the code is sent via SMS and the key is never shared with the user. But the issue with those apps seems to be even more problematic than SMS from the issues mentioned, e.g. changing phone numbers is not as common as changing phones or other catastrophic events that might cause the keys to get lost. And if you store passkeys or TOTP generating keys in the cloud, then the factor is no longer “something you have” because anyone can get the keys if they get the password to the thing storing the keys. SMS based TOTP leaves the keys only with the site you’re logging into and only the time sensitive TOTP codes are ever sent out. And although the lifetime period for sms TOTP has to be longer, they are additionally expired on single use (assuming it’s implemented properly).
    
    source
    artyom@piefed.social ⁨2⁩ ⁨days⁩ ago
    
    SMS 2FA is TOTP
    
    You know what I meant.
    
    And if you store passkeys or TOTP generating keys in the cloud, then the factor is no longer “something you have” because anyone can get the keys if they get the password
    
    And anyone can get the keys to your phone number much more easily using the methods detailed in the OP.
    
    source
    -> View More Comments