[winternett]

As a whole for social media at least.

For items that are of national security and high sensitivity in the business world, personal devices are regularly being used in many cases (Non Gov Furnished Equipment) as well, and that thoroughly defeats the purpose too.

The people that seek that level and volume of data are not usually simple amateurs that stumble upon script tools, they are usually engineers, info warriors, and even massive operations themselves with funding, skill, and human resources to get what they want. The best ways to secure data is at the system level and by not collecting data that is not needed for direct relevance to system function to begin with.

Personal phone numbers have no relevance to apps like Twitter or Facebook beyond facilitating their personal information and ID lust.

[kube-system]

Token based 2fa does not leak any information to the service and it has a benefit of preventing other types of attacks on the functions that the system is supposed to do. There is literally no reason to be against TOTP or WebAuthN

[hombre_fatal]

I don’t agree. At worst it just introduces a “hey i lost my phone” customer support backdoor that may be weaker than what was there before.

[kube-system]

It’s not any worse than the “hey I forgot my password” support backdoor.

If you have a support backdoor, it doesn’t matter what technology you use. That’s not a technology problem.

[rtev]

That’s a security flaw. Backup codes are the fix if you get locked out. Sure, the attacker could find the backup codes, but that can be a challenging task.

[duckmysick]

And at best? And what about on average?

[winternett]

How could you ever guarantee that when registration for many services are conducted on such a wide variety of Internet-based web forms that are integrated into web sites?

That's not logical.

I've even seen sites where registration is done on sites with expired certs. Not everyone registers directly within the service itself, and there are plenty of cases where config and security are not implemented and managed properly.

[kube-system]

You can guarantee that TOTP and WebAuthn do not share personal information because their implementation does not involve the use of any personal information.

[ziddoap]

>I've even seen sites where registration is done on sites with expired certs. Not everyone registers directly within the service itself, and there are plenty of cases where config and security are not implemented and managed properly.

I might be missing something, but what does that have to do with the efficacy of token-based 2FA?

[winternett]

Web forms allow social media sites to capture bare phone numbers and store them in other places than just for authentication services. The places they store these numbers are often exposed to the public and to partners for a fee, along with personal data, which regularly is connected to other personal data on each account user. 2FA does not keep your account secure, and is just a bogus ploy to get your phone number, by social and other platforms) if most of your personally identifiable information on a site stores can be scraped ALONG WITH YOUR PHONE NUMBER, as it was, from a social media site (Which is exactly what happened in the original article cited).

[scrollaway]

You are missing the point of the GP’s comment. Token based 2fa does not involve phone numbers.

Most people who talk about 2fa being good are talking about TOTP or security keys. Phone number based 2fa is awful for a variety of reasons.

[croes]

Ever heard of YubiKey, Google Authenticator or Authy?

[rtev]

At the risk of sounding rude, I don’t think you understand how modern 2FA works. No phone number is involved.

Your parent comment is based on misinformation and is the top comment; please consider editing or deleting it.

[winternett]

You have not properly read my other comments within this post. That is arrogantly presumptive, and over valuing the ideal that downvotes should suppress freedom of opinion.

[Thorrez]

>personal devices are regularly being used in many cases (Non Gov Furnished Equipment) as well, and that thoroughly defeats the purpose too.

U2F and WebAuthN protect against phishing. This protection applies regardless of whether you use a personal device or not.

Even more relevant, one of the main benefits of 2FA is securing people who reuse passwords. Similarly, that gained protection is not lost by using a personal device.

[winternett]

System rules can, and often are configured to prevent password reuse well before 2FA. They have also enforced password complexity for ages now before 2FA... 2FA was invented and foisted on everyone without real necessity and demand involved. Tying vital security to random, and often personal, mobile devices that aren't properly secured and registered is reckless. Text messages also aren't properly secure, neither is Wi-Fi and Bluetooth in many cases... It's not logically sound to say 2FA creates additional security in any other sense but within the technical complexity added to authentication.

None of what you mentioned is advanced security if user phone numbers are stored and accessible along with their personal data.

Social engineering alone from being able to call and text users and socially engineer access to their accounts through scams with the sheer amount of personal data that social sites and apps greedily and unnecessarily collect on them.

Social media surveillance is a gold mine of data for a social engineer these days, specifically BECAUSE of how invasive it is. 2FA does not protect it, it only creates a secure log in, it does not secure data beyond verifying a user has the phone tied to the account. A mobile device is not a footprint nor proof of ID, it can be physically lost or stolen, or even cloned, which has happened often.

[Thorrez]

>System rules can, and often are configured to prevent password reuse

How? And even if it's not verbatim password reuse, people often choose extremely similar passwords such that given one password, the other one can be guessed in a few guesses.

Password complexity requirements don't stop password reuse.

>Tying vital security to random, and often personal, mobile devices that aren't properly secured and registered is reckless.

I agree that SMS is the worst form of 2FA. There are others though.

>It's not logically sound to say 2FA creates additional security in any other sense but within the technical complexity added to authentication.

You're conflating SMS 2FA with all forms of 2FA. There are other forms. The biggest threat that people face today is phishing. That's stopped by U2F/WebAuthN. One of the next biggest threats is credential stuffing. That's stopped by all forms of 2FA, regardless of how weak SMS is.

>Social engineering alone from being able to call and text users and socially engineer access to their accounts through scams with the sheer amount of personal data that social sites and apps greedily and unnecessarily collect on them.

U2F and WebAuthN protect against these types of phishing attacks.

>A mobile device is not a footprint nor proof of ID, it can be physically lost or stolen, or even cloned, which has happened often.

So use a different type of 2FA than SMS.

[Linosaurus]

> System rules can, and often are configured to prevent password reuse well before 2FA.

That does not at all help people who reuse passwords from one site on another.