[ctab]

Good idea. Unfortunately any 2FA using a phone number (SMS or phone call) is highly insecure -- see Jack Dorsey having his Twitter hijacked, or any number of people having bitcoins stolen from Coinbase. That implementation should be marked with a big red X, not a green checkmark.

[tialaramex]

If it's 2FA and not an account recovery short cut it doesn't deserve a cross mark because it's not _worse_ than nothing - nobody is finding it _easier_ to get in by hijacking your phone number as an extra step.

If your argument is that phone based 2FA is no good because it's vulnerable that'd count for TOTP as well, which is vulnerable to live phishing attacks that are now relatively widespread. In both cases they're a lot better than nothing.

[progval]

> see Jack Dorsey having his Twitter hijacked

His account was hijacked because his phone number was a single factor.

[NotSammyHagar]

I think a better description is using your phone number for 2 factor auth and account means if you steal someone's phone number (via simhacking usually) then you can do anything, because you can reset the account through the phone number, and then you can set the password, and now you control 2 factors (phone + password).

[progval]

That sounds like a bad way to implement 2FA, indeed.

[julianlam]

On a not-so-related note, a number of sites and messaging apps require login via phone number. This doesn't seem to have necessarily penetrated western apps, but is seemingly more prevalent in Asian/African countries.

Does this mean those applications are ipso facto vulnerable, via a similar attack vector?

[tialaramex]

If the phone number is acting as the identity (like email for a lot of sites today) then no, that's not vulnerable to anything, though over the longer term it can cause confusion as "your" phone number turns out to have previously belonged to somebody else who isn't using the phone number any more but does use lots of accounts with that number...

[progval]

> If the phone number is acting as the identity (like email for a lot of sites today) then no, that's not vulnerable to anything

Email is hard to hack (you need a password, and possibly a second factor if the email account is properly secured).

Phone numbers are easier to spoof using SIM swapping. See https://www.theverge.com/2019/8/31/20841448/jack-dorsey-twit...

[Fnoord]

True, but as long as the user does realize this, and they still keep using the very same high quality password, it is better than that very password without 2FA over SMS.