[sneak]

> Ultimately I’d prefer SMS over nothing when it comes to 2FA

This isn't always a good setup. Frequently implementors use SMS, once set up for 2FA, to do password resets.

This means that it's actually 1FA - get the sim, and you're in. No password required.

[philnash]

Absolutely correct, I've even given talks on this. Check out slide 52, I think we're in strong agreement here: https://speakerdeck.com/philnash/2fa-wtf-at-pycon-singapore?....

I'm not advocating for poorly implemented 2FA, just that SMS 2FA is more secure than just a password.

If a site required you to have a 32 character length password, but kept the passwords in plain text, that wouldn't make your password any less strong. It just opens a different attack vector. If a site implements 2FA via SMS, but allows password reset via SMS it doesn't make SMS 2FA less secure, it makes that sites implementation incorrect.

[latchkey]

SMS 2FA isn't more secure than just a password. It actually opens up holes.

When my gf lived in Malaysia, she added her phone number to FB and forgot about it. Years later, after having moved back to Vietnam, the number was recycled and someone was able to use that number to gain access to her FB account and reset the password.

Had she never added her number to FB (and you can extend this to any service which offers SMS 2FA), her account would have been safe.

I'd argue that Twilio should remove SMS 2FA as an option. Period. Just move on from it. Please.

[philnash]

The security hole there is using SMS as an account reset, which makes it a one factor solution (see other discussions of this in the thread). The error was in that implementation, not in SMS 2FA in general.

[latchkey]

The point being that had it been 2FA, it would have been the same hole.

[philnash]

There are a numbers of things here that are true.

* Applications that take a phone number for one reason (2FA or otherwise) and also use it as a single factor for account reset are less secure in the case of number recyling.

* Applications that do 2FA via SMS do not necessarily do account resets via SMS

* 2FA over SMS is more secure than just having a password to secure an account.

I am sorry your girlfriend had this problem. I would have hoped a business like Facebook would better understand phone number usage. Their penchant for taking as much data as they can and using it however they like clearly burned some of their users here. I hope they have tightened up this hole and that this didn't affect too many people.

[latchkey]

Ok, makes sense. Thank you for the kind response and I approve of most of it. I think we will have to agree to disagree on the last * though. I think that statement is very much 'it depends.'

I apologize for going in circles one more time... but by not providing 2FA SMS, it is impossible to f'ck it up or be abused. Right?