Hacker News new | ask | show | jobs
by robbya 2349 days ago
You're talking about account recovery, not 2FA. A website can use my phone number for account recovery even if I'm not using SMS as 2FA.

I agree with everything you said about SMS for account recovery.

Account recovery that uses a phone number is weak. There was a paper on HN this week that detailed this.

However, if we are going to compare SMS 2FA (I.E. password plus code sent over SMS) against just password, SMS 2FA wins. In both cases I need to steal your password, the SMS part is an added challenge although it's easier to bypass than many people want.

Given SMS 2FA and any other 2FA option, SMS 2FA loses.
1 comments
colechristensen 2349 days ago
In an idealized sense, sure. But not for a practical situation.

SMS as an authentication factor weakens the security because of all of the additional behaviors associated with the account provider which are inescapable.

link
robbya 2349 days ago
Edit: looking again, I see what I missed.

> The only real defense is to never associate your phone number with personal accounts which even then is often not possible.

Yes that's exactly right. If I don't trust a website to not use my phone number as the sole factor for recovery, then I should not use SMS 2FA on that site and I should not add my phone number to any part of my profile. If I know (how?) that the website won't use SMS for recovery, then SMS 2FA is better than nothing.

As a website owner, if I offer SMS 2FA auth and use SMS in isolation for recovery, then I'd want to stop using SMS for recovery. After that, removing SMS 2FA and not offering any second factor would weaken my security. I.E. SMS 2FA is weak but better than nothing. SMS single factor recovery is terrible, fix that ASAP.

link
colechristensen 2349 days ago
It's one of those things which, technically, can be done correctly. However, it isn't. It provides an incentive to do bad security which is bad for providers because their security will have a tendency to devolve into bad-factor recovery and it's bad for users because it makes them comfortable with a security factor which is easily defeated.

It might be good for your use case, but systematically SMS is bad for security in a global society sense.

link