[lotsofpulp]

How is it fine for the most part when it’s been shown that thousands of employees working at the mobile network have the ability to forward your number thereby rendering the 2nd factor useless?

More importantly, there simply isn’t a reason why TOTP, a superior actually secure 2nd factor that doesn’t rely on a third party, can’t be offered, unless you want to force the user to cough up their phone number so you can track them.

[oefrha]

TOTP is great for you and me, but the average Joe totally does lose their phone and get locked out. Forget recovery codes, what the hell are those, they can’t even keep track of passwords. Authy provides encrypted backups you say? See “can’t keep track passwords”.

Don’t even get me started on physical security keys. I could hardly even convince myself to use one, let alone always having at least one backup. Imagine asking my mom to do that.

At the end of the day, the average Joe needs a recovery mechanism that’s not tied to their memory and doesn’t make their everyday interactions a pita. Phone number is just one step below government IDs (which people would be uncomfortable to supply for most sites) and the challenge response could be easily automated, making it ideal. It’s being ruined because of the incompetence of telecom operators.

I wonder if requiring physical appearance with government ID for a SIM change, and making fraudulent SIM issuance a fireable offense would drastically cut down on SIM jacking. (Before anyone points it out, I do envision fraudsters applying for telecom jobs just to do this.)

Now, I’m not arguing TOTP without recovery phone number shouldn’t be an option. I opt into it whenever possible.

[romwell]

>Don’t even get me started on physical security keys

Well, I haven't seen a single person who wouldn't have one. We use them for cars and houses, though.

And credit/debit cards, I bet you have them too. It's a physical security key to the ATM. Classic 2FA spirit: something you have (the card) + something you know (PIN code).

The point is, people don't have problems with physical security keys. Programmers do (and hardware vendors) do, which means no standards and clunky UI.

[oefrha]

Physical key keys go into designated keyholes, and give you physical access to something. Physical cards go into dedicated machines, and give you access to a physical transaction, cash, deposit box, etc. Physical objects for physical access.

Physical U2F keys get in the way of all-digital flows. They also need to interact with all kinds of non-dedicated devices, something they do a less than stellar job of. Bluetooth and NFC keys are young, setup process isn’t great and reliability seems to vary; USB keys require a USB port which might be occupied by other things or available only in another physically incompatible shape.

[romwell]

So, we are agreeing?

The keys aren't the problem, the engineers are. In this day and age, every device should have a digital keyhole (NFC, whatever) - and it should not take more than "insert or hold X next to Y".

Re: "physical process": something tells me you didn't type this message telepathically. UX is a physical process, and 99.99% of the time, it's doing something with your hands anyway. (Alexa/Siri/OK Google are a different beast).

If every other phone can have a fingerprint scanner, it can have something for actual keys too.

Moreover, imagine this: your devices could have built-in hardware keys that you can register with your bank/etc should you desire that convenience.

Still proper 2FA: your phone number is just an account, which is at the whim of your service provider, but your device is something you have.

[beatgammit]

Before pushing stuff like TOTP, we need to get everyone on board with using a password manager correctly. I use one and it's a quality of life improvement as well as a security improvement. I only have to remember one password, and I have all of my credentials on my phone and my browser. It's set to automatically lock after some minutes, so I'm secure most of the time. I just checked and I have over 100 passwords in my password manager, and there's no way I would be able to have a unique password for each one and remember them all.

It's a bit of an "eggs in one basket" situation, but given that people tend to use the same password everywhere, I see it as strictly a step up since it's much less likely for your password manager to be compromised (targeted attack in most cases) than for a site to be hacked.

Once everyone is using password managers consistently, then we can start to talk about TOTP and other 2FA tools, and at first only use it to secure the password manager.

Once we solve the password manager problem, most other problems go away. You don't need to reset passwords if you have it in your password database (your computer won't forget it). You don't have to come up with passwords that match some arbitrary set of requirements, you let your computer do that. If you get recovery codes, stick them next to your passwords in your password manager. If there's a breach, your password manager can likely tell you which accounts are affected, and you can just change those instead of every site that you use that password on.

So yeah, 2FA is nice, but improving how people use the first factor is far more important and actually makes peoples' lives easier.

[oefrha]

I have pushed my parents to use a password manager multiple times over the years but failed (it’s as simple as adding them to my existing 1Password subscription). My father being a software engineer out of all professions.

[GhostVII]

I think it's fine because in order for someone to hack me if I have true 2FA authentication with SMS, they would both have to both get my password, and do some kind of social engineering attack to get access to my messages. If you have a secure password already, that is probably good enough security for the vast majority of people.

Just because the second factor can be compromised, doesn't make it useless. Pretty much any security mechanism can be breached, it's all about increasing the difficulty of an attack until it matches the value of what you are trying to protect. SMS 2FA protects you against untargeted attacks like credential stuffing, which is probably sufficient for 95% of people.

[oefrha]

> they would both have to both get my password, and do some kind of social engineering attack to get access to my messages.

You must have not followed any SIM-jacking story, which is the point of this entire thread.

1. They don’t need your password because their goal is a password reset through your recovery phone, or recovery email address “secured” by a recovery phone.

2. They do social engineering on telecom employees (or outright buy them out for a pittance) to not only get access to your messages, but take over your entire link to your cellular network. You’re not involved in any of this.

TL;DR: the second factor makes you less secure, not more. It’s a downgrade from a secure password. It makes you defenseless.

[GhostVII]

As I said in my first comment, a recovery numbers turns it from 2FA into single factor. Obviously that is less secure, since a phone number is generally less secure than a password. I'm talking about true 2FA over SMS.

[tylerhou]

Recovery numbers should be stored somewhere safe, like your house. If your attackers have access to your house they could beat you up with a baseball bat instead of going through the trouble with finding your recovery codes and phishing your passwords.

[scottlocklin]

Recovery numbers are recovery telephone numbers. If they sim-swap you, they have your telephone number. The end. Virtually all email accounts and online services tie themselves to your damn telephone number, and there are tens of thousands of people in each phone companies who can move your number.

[tylerhou]

Oh, I thought you meant backup 2FA codes:

https://support.google.com/accounts/answer/1187538

[FabHK]

The attacker would have to steal the password and SMSjack someone; that’s a fairly tall order (maybe feasible for targeted attacks, but it should be sufficient to thwart opportunistic attacks.) The problem is that many sites allow password resets with the SMS, thus rendering it 1F, as GP said.

[Iv]

2FA is more secure than 1FA as it takes more efforts to break. It is enough for many people, but targets that are worth the money and risk of bribing a phone company's employees may need additional security.

Breakable != useless.