Hacker News new | ask | show | jobs
by philnash 2355 days ago
Absolutely correct, I've even given talks on this. Check out slide 52, I think we're in strong agreement here: https://speakerdeck.com/philnash/2fa-wtf-at-pycon-singapore?....

I'm not advocating for poorly implemented 2FA, just that SMS 2FA is more secure than just a password.

If a site required you to have a 32 character length password, but kept the passwords in plain text, that wouldn't make your password any less strong. It just opens a different attack vector. If a site implements 2FA via SMS, but allows password reset via SMS it doesn't make SMS 2FA less secure, it makes that sites implementation incorrect.
1 comments
latchkey 2354 days ago
SMS 2FA isn't more secure than just a password. It actually opens up holes.

When my gf lived in Malaysia, she added her phone number to FB and forgot about it. Years later, after having moved back to Vietnam, the number was recycled and someone was able to use that number to gain access to her FB account and reset the password.

Had she never added her number to FB (and you can extend this to any service which offers SMS 2FA), her account would have been safe.

I'd argue that Twilio should remove SMS 2FA as an option. Period. Just move on from it. Please.

link
philnash 2354 days ago
The security hole there is using SMS as an account reset, which makes it a one factor solution (see other discussions of this in the thread). The error was in that implementation, not in SMS 2FA in general.
link
latchkey 2354 days ago
The point being that had it been 2FA, it would have been the same hole.
link
philnash 2354 days ago
There are a numbers of things here that are true.

* Applications that take a phone number for one reason (2FA or otherwise) and also use it as a single factor for account reset are less secure in the case of number recyling.

* Applications that do 2FA via SMS do not necessarily do account resets via SMS

* 2FA over SMS is more secure than just having a password to secure an account.

I am sorry your girlfriend had this problem. I would have hoped a business like Facebook would better understand phone number usage. Their penchant for taking as much data as they can and using it however they like clearly burned some of their users here. I hope they have tightened up this hole and that this didn't affect too many people.

link
latchkey 2354 days ago
Ok, makes sense. Thank you for the kind response and I approve of most of it. I think we will have to agree to disagree on the last * though. I think that statement is very much 'it depends.'

I apologize for going in circles one more time... but by not providing 2FA SMS, it is impossible to f'ck it up or be abused. Right?

link
philnash 2353 days ago
I shy away from any rules that say you can’t mess something up simply by avoiding one thing, especially in this sort of case. Consider also that avoiding 2FA by SMS may avoid sim swap or recycle attacks, but it could also eliminate 2FA for users who don’t have a device capable of running an authenticator application (a feature phone).

There’s a lot more at play here, and “just don’t” isn’t a nuanced enough answer to 2FA by SMS.

link