Sure, but implementation matters. I've long thought that 2 factor via SMS is a sub-optimal solution because it trains you to expect secure login info from a random shortcode SMS number.
Account recovery is always a nagging weak spot. At some point, a user will forgot their password or lose their TFA device, and now you need them to be able to prove their identity outside of the usual flow. And if you have enough users, this has to be automated, leaving even more room for exploitation.
I would love for services that I REALLY care about never ever ever being broken into (email, web hosting) there was ONLY the $100-and-speak-to-a-human option to change the password
I would even make it $100 + skype and show live on skype your passport.
"showing your passport on skype" seems insecure - I imagine it would not be very hard to paste a page with some computer-vision image registration barcodes on the photo page, and then hack up a video filter which pastes in an arbitrary bitmap.
Charging $100 is pretty punitive, but I've often wondered why more online services sensitive to attack don't use token credit card charges as a way to limit account duplication, increase complexity in a malicious operation, etc.
Stealing credit cards is cheap, yes, but the additional cost to using such a card on a password reset would still be a deterrent.
The problem with charging people for password resets is that by making the process of resetting a password more expensive, you've now encouraged people to reuse passwords. People know when they sign up for your service that resetting a password is going to be expensive, so they'll use a password that they're sure not to forget, i.e. the password they use for everything else.
I would posit that even with this social engineering exploit, Google's two-factor SMS authentication is still more secure than charging people for password recoveries (and thus encouraging password reuse).
I seem to recall there were some services that charged a one-time small fee in the late-90s / early-2000s basically for that reason. But in the past 10 years most seem to have moved to requiring a mobile phone number as the hurdle instead. The idea is that it has some of the same deterrent effect for bad actors, since coming up with a steady stream of unused mobile numbers costs a nonzero amount, but produces less sign-up friction for legitimate users.
Not really, considering there is zero reason for anyone to ever lose a password assuming they are using a password manager. You could even make it free for the first few hours after the account is created or the password is changed in case the user pastes it into their password manager incorrectly.
And how many "normal" people do you know that use a password manager? It's 0 for me. They don't even use post-it notes, which would be an improvement over "I'll just try to remember the password, and if I can't, I'll ask someone to help me ".
I'd say it is two factor (googles implementation, the attack is classical social engineering): something you know (the password) and something you have (access to your phone).
In Google's implementation, only the "something you have" is really necessary for access. If you have the phone but not the password, you can just issue a password reset, which is confirmed via the phone, so the password doesn't function as a second factor independent of the phone.
I wonder if anyone implements the restriction that a password reset can only be ordered after a certain time (a week, say) since the last successful password entry, for long-established accounts. Most real password resets are likely either in long-dormant or recently-created accounts, and this would add just another layer of partial protection against these kinds of attacks.
Whoa. I hadn't realized this. So someone that knows my email address and has my phone has access to my entire life, because all password resets use my email address.
If it's come to this, to using "something you have", then we can all go back to using paper password notebooks. They offer the same security, surprisingly.
There have been many attacks in Russia where attackers would get a duplicate sim card from the operator (either with a bribe or a forged passport) and then proceed to hack everything linked to it - gmail, banks, facebook, etc