SMS-based 2FA needs to be eliminated completely. Authenticator apps need to come preinstalled as an essential utility on every OS. There doesn't seem to be a whole lot of pressure to improve 2FA security.
There doesn't seem to be a whole lot of pressure to improve 2FA security.
I gave up on that ten years ago when I worked at a biometric authentication company. Banks were soon to be regulated to use 2FA, and our system was easy to use, we're all gonna be rich!
Doesnt that force people to not only use smartphones, but "approved" smartphones (read Android/iOS) with locked bootloaders and no root access (or the bank authenticator app will refuse to run)?
I don't think it's too heavy handed to make the practice of implementing SMS 2FA straight-up illegal. If credit card processing requires PCI compliance why wouldn't we apply similar thought to 2FA?
Apps just embolden employers to shirk on providing secure TOTPs or work phones. You should not be forced to use your personal property to conduct job duties.
I gave up on that ten years ago when I worked at a biometric authentication company. Banks were soon to be regulated to use 2FA, and our system was easy to use, we're all gonna be rich!
Then the banks were allowed to use security questions as 2FA. Not only were the employees not "all gonna be rich", everyone else was going to get fucked when they accidentally post something on Facebook about how their mother (neƩ Mary $MAIDEN_NAME) used to do $SOMETHING on $STREET_I_GREW_UP_ON. So the continued use of SMS-base 2FA, despite its frequently-published flaws, isn't going anywhere until a new way to fuck up 2FA is found.
If I had a viable solution to it all, well, I'd be rich.