Comment on Millions of people imperiled through sign-in links sent by SMS
artyom@piefed.social 1 day agoThe way TOTP works
Okay I thought you were still talking about SMS.
The messages aren’t encrypted at rest but, the connections are. You need a key in the physical sim card to intercept anything
No you do not. Most phones don’t even have this anymore.
And sim swap only works if you also have the person’s username and password for 2fa
Yes, and for the 3rd time, all the same vulnerabilities exist in MFA.
irotsoma@piefed.blahaj.zone 1 day ago
I was talking about sms. All types of cryptographic code generation uses one or more keys. The sms type just uses one that only the sender holds, it’s never shared with anyone which can cause it to be more easily lost.
The sim cards and their cryptographic keys are just built into the phones, and the codes are swapped when you sign up, same concept as renovable sim cards.
And again, it doesn’t matter of a sms code is intercepted as much as the entire login method. If you dont have the username and password, what good does an sms code do for anything? The issue in the article is that there’s nothing else to know, just the current format of the set of codes being generated by the system. Then you can randomly guess a similar code and get access to a random person’s account. Much, much different from the use MFA which is worthless without ALL of the factors, not just a single one.
artyom@piefed.social 1 day ago
The entire point of MFA is to protect against someone who does have your username and password…
irotsoma@piefed.blahaj.zone 1 day ago
Exactly, so it does that job because it requires an entirely different and complex skill-set to intercept sms messages and you have to do both things now if sms 2FA is in place. With the issue in the article you dont even need to intercept sms meant for a particular user to get access to random users’ accounts, thus totally different issue.
I asked, what is better for a second factor than SMS?
artyom@piefed.social 1 day ago
It does, really poorly, for the reasons I’ve listed, and for the reasons in the OP.
Not a different issue at all. Exact same issue, with lower risk.
I answered this like 12 comments ago.
We’re going around in circles now so I’ll bid you good night.