[jfrunyon]

Reminder: SMS 2FA adds only a negligible amount of security, if your company does 2FA via SMS you're doing nothing more than lulling your users into a false sense of security. Don't do it. Support proper 2FA. (And while you're at it, allow your users to decide how much they care about their account. Don't make the decision for them.)

[zajio1am]

> Reminder: SMS 2FA adds only a negligible amount of security

I would disagree. Obviously, there are better approaches, but consider basic password auth on desktop, that is easily exploitable en masse by botnets. if you add 2FA via SMS, you would need to exploit both devices (or attack SS7, transfer number or some other trick) and match infos from these devices. Can be done in targetted attack, but harder in en masse botnet attacks.

[jfrunyon]

Congratulations, you've spotted the negligible amount, which I explicitly said was negligible, as opposed to zero. Just because something has some benefit does not mean that benefit is greater than the costs.

[yladiz]

Wow, is there any reason to be so snarky and dismissive here?

[albertgoeswoof]

That’s great until your users lose/break their phone and have no backups for their 2FA codes.

“Sorry you’re locked out forever, good luck lol”

Is not a response you can give to them.

[neartheplain]

Printed/saved backup codes are still an option. Can also attach multiple 2FA tokens to one account. That's what Google and many others provide. Their customers seem satisfied.

[freebuju]

> Printed/saved backup codes are still an option

Vast majority of users don't bother with such complexities.

SMS is the easiest minimum entry barrier to 2FA. It is better than having just passwords.

[jfrunyon]

> It is better than having just passwords.

That is false. Many incidents have been widely reported where huge names, who certainly could afford even a $50 hardware token to protect their reputation/brand, were 'hacked' because they thought SMS 2FA protected them - and it didn't. Even with services which do also offer TOTP or U2F etc.

[emit_time]

It is better. It’s just not perfect.

[decrypt]

>Can also attach multiple 2FA tokens to one account

This is new to me. Most websites that I have seen offer only one 2FA token, but it could be scanned on any number of TOTP apps.

[zaphirplane]

I disabled some 2fa cause I once replaced my phone without following some script to copy across the 2fa app

Luckily I was still signed in on a computer

[neop1x]

I use Authy app which performs encrypted backups to the cloud and verifies regularly that I can still remember the passphrase. I have never lost a TOTP token this way.

[berkes]

I've never encountered this. All of my 20-something 2fa tokens I could recover with processes ranging from making videocalls to identify myself to getting a 24 hour slot in which all but the 2fa reset was locked.

[goblin89]

I’d be curious to know which services are confirmed to have solid 2FA reset practices (i.e., you can do it if you lose your keys; no one else can do it).

These would probably be smaller businesses that earn their revenue directly from paying customers (and would lose if you give up and cancel your card/block their transactions)—I can’t imagine this ever working for ad-driven whales like Google or Facebook, or large corporations to whom you’re small fish and need them more than they need you.

Also, it’ll be interesting to see how 2FA reset options evolve in near future. A 24-hour slot to reset only 2FA, for example, looks like a valid attack vector. Also, I suspect deepfaking videocalls won’t be out of reach of a dedicated but average attacker for long.

[berkes]

> I can’t imagine this ever working for ad-driven whales like Google

Google was one of those that offers account recovery[1], but has it fully automated. I did not need it, because Google urged strongly to create backup tokens. I had those in my encrypted backup.

Focusing too much on what can go wrong is unproductive. I could also steal your iPhone, or force you to reveal a 2fa token using the Rubber Tube Decryption method.

There is no such thing as 100% security. And certainly not if it needs to be balanced against some real-world-ease such as "recovering after you dropped your iPhone in the toilet".

The 24hour recovery slot was at my cloud VPS service from which I got a bazillion warning mails. "your 2fa will be disabled in 48 hours, did you not initialize this, click here to ...".

The least secure was at my bookkeeper's online portal, where I could call them over the phone, offer some simple verification and have 2fa disabled. That does not remove my trust in them, because 1) it is an account that needs less security than e.g. my AWS account, and 2) they do know me personally and I them. It actually makes me trust them more because I know they are there for me when I need them.

-- [1] https://accounts.google.com/signin/v2/recoveryidentifier?flo...

[jfrunyon]

There are many, many ways to handle backup authentication. SMS is not one of them.

[kevincox]

SMS auth is great until your users move, get a new number and are locked out forever.

Pick you poison. Or even better, implement both and let your users pick.

[swiley]

That's part of a well secured account. You don't need this for everything just two or three super important things (bank, dns etc.)

[weswpg]

there can at least be a notification and a delay, so I have 12-48 hours to respond if I get an emergency alert that my service is about to be deactivated

[caskstrength]

A lot of times SMS 2FA significantly degrade security with services that allows you to "recover" access to your account via SMS.

[mrguyorama]

But then that's not actually 2FA then, is it?

[fckthisguy]

I completely agree.

SMS 2FA is, at best, just adding a little hassle for the hacker. If it's not a targeted attack, there's a chance that the extra effort means they'll move on, but that won't stop any remotely determined hacker.

[anaganisk]

And isn't that true for most of the people? Still better than nothing right?

[danmur]

I'm not sure it's better, at least not in all cases. If you can reset your password or login without password using SMS, and you had a strong password, it could be worse.

[bsid]

that would be a veryy incorrect implementation of 2FA. Wouldn't be surprised if some service works that way, but would def. be unfortunate

[efreak]

Some services work in exactly this way; it's like using a magic link to log you into a website in the browser from an app on your phone/computer.

[path411]

I agree it's def better than nothing. But I think most end users think 2FA SMS is the equivalent of hiring an armed security guard at your door, not when it's really the equivalent of putting an ADT sign in your front lawn from amazon.