Hacker News new | ask | show | jobs
by ahelwer 2950 days ago
Nope, it's worse. Websites will use it as an authentication method in password-reset workflows, which means hacking your account reduces to intercepting or redirecting text messages (easily accomplished). Rampant cryptocurrency theft over the past year has conclusively demonstrated that SMS-based 2FA is worse than no 2FA at all. The worst offender? Gmail. It uses your phone number for password recovery and is in turn used for password recovery by every other website.
1 comments
lotsofpulp 2950 days ago
Gmail allows you to use SMS, but does not force you to and gives you other secure options.
link
ahelwer 2950 days ago
That's true, but I single it out because:

1) Many people have had their Gmail account for a long time, starting before SMS-based 2FA was widely known as a security disaster (this is in fact still not widely-known)

2) Google still actively encourages users to add a recovery phone number

3) Users could have added a phone number years ago then forgotten (this was the case with myself)

4) Users often have many websites using their Gmail account for password-reset workflows (this is definitely the case with myself)

All of these combine to make Gmail the ideal hacker entrypoint. See this hack: https://www.reddit.com/r/ethtrader/comments/8klw4f/someone_j...

link
gruez 2950 days ago
>2) Google still actively encourages users to add a recovery phone number

i would consider the average person to be pretty bad at handling otp backups. how else would you do recovery?

link
ahelwer 2950 days ago
You are correct this is a significant usability issue. Personally I use Authy, which performs automatic encrypted backups in case I lose my phone. I then have to remember my Authy recovery password (not stored in my password manager, which is itself secured with a TOTP - hello circular dependency danger!) I also keep a yubikey authorized with all my accounts as second backup.

All these things are beyond what the average person wants to worry about, as you say, but HN readers will find it simple. Personally I'm hoping U2F (Yubikeys) are the future, since your average person certainly understands the concept of a key.

link