Hacker News new | past | comments | ask | show | jobs | submit login

> the fact that it can actually reduce your security is very problematic.

The only way it can ever actively reduce your security is if it's used as a single factor, as it was for the OP.




> The only way it can ever actively reduce your security is if it's used as a single factor, as it was for the OP.

I don't believe this is true. If I have your SMS I am considerably more likely to be able to phish a recovery, even if recovery also involves something else. Every piece of information the attacker can get is valuable for forging auth.

What SMS is good at is being available. At this point cell phones are distributed to a massive portion of the world. But at this point smartphones can also act as U2F devices, I believe, so I'm not sure that benefit is so meaningful anymore.

Instead of companies wasting time on SMS 2FA they should be figuring out how to help their customers set up U2F.

I'd like to avoid being in a situation in 10 years where we have great options for end users available but 2FA SMS is still supported for legacy reasons, and unwitting users end up using it because it seems easier and they don't understand the risks.


> I don't believe this is true. If I have your SMS I am considerably more likely to be able to phish a recovery, even if recovery also involves something else.

So it's better to not consider that information at all?

What is better? (1) Requiring a password to login or (2) Requiring a password and a code sent via SMS?

The problem you're describing is that services accept SMS in leu of other forms of verification, such as an actual password. Personally, I would very much like it if I could turn off any and all forms of "I forgot my password" flows. There should at minimum be a one-week waiting period or similar.


> So it's better to not consider that information at all?

Exactly

> What is better? (1) Requiring a password to login or (2) Requiring a password and a code sent via SMS?

They're equivalent in my mind - SMS is such a weak 2FA mechanism, and it's so easy to get wrong and have it decrease your overall security, any benefit is lost. Rather than pushing SMS because it's what we have we should make greater efforts to leverage technology that we know is considerably better in every regard except availability today - IMO that is the problem to solve.




Join us for AI Startup School this June 16-17 in San Francisco!

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: