|
|
|
|
|
|
by alexsmolen
3616 days ago
|
|
|
The problem is that SMS provides better recovery rates than TOTP/HOTP + backup codes, because people can go to their carrier and get a new device at the same number. It's important to remember that availability is an important aspect of security. If you protect a user primarily concerned with mass-account takeover attacks from a low-probability threat (people intercepting their SMS channel) but introduce a high-probability threat (dropping their phone in the toilet and being locked out of their account forever) you may not have made a good security tradeoff. |
|
|