Hacker News new | ask | show | jobs
by GregHolmes 1401 days ago
I recently wrote this tutorial to add an extra factor of authentication when logging in to an SSH server, using tru.ID's PhoneCheck, which uses your SIM card and an active data connection to the mobile network operator. Let me know what you think?
2 comments
tallanvor 1401 days ago
From a security perspective, it seems you're only confirming that whoever is trying to log in has access to the phone number - not a specific SIM card. So right away it doesn't appear to offer any benefits over other MFA options out there, and is certainly less secure than some of them.

The cost per authentication is high, and even if that weren't a concern, I'd certainly never advocate for a solution that I can't even test since my country isn't on the supported list.

Finally, getting locked out of my servers if your endpoint goes down is a hard pass. I can't really imagine anyone seriously considering implementing this type of access control to servers.

link
RileyJames 1401 days ago
What are some of the reasons to use tru.ID over sending an sms?

It sounds like it has some features around sim swap protection. I’d be interested in this, but how realiable is it? And what countries does it work in?

Why use this over OTOP via a generator?

link
GregHolmes 1401 days ago
If you were, for example building a mobile application. tru.ID's PhoneCheck is superior to SMS in several ways. The first is, it provides a seamless UX. The user only has to enter their phone number (or your backend may already have this stored?). Then all they see is a couple seconds loading followed by a success or failure.

It's also taking away the possibilities of the user entering numbers incorrectly (TOTP for example).

Some countries have started introducing rules for certain industries where they're not allowed to switch between apps on a mobile phone. For example when trying to find their Authenticator app or checking their SMS/email for a TOTP.

And finally, it is phishing resistant. You can phish for a users TOTP. You can't with a data connection the mobile device itself has to make over cellular data to the mobile network operator directly.

There is an API specifically for SIM Swap. Or SubscriberCheck does both PhoneCheck and SimSwap together. Further increasing the security of the authentication process for the mobile app.

link
ThePowerOfFuet 1398 days ago
> It's also taking away the possibilities of the user entering numbers incorrectly (TOTP for example).

Awfully weak.

> Some countries have started introducing rules for certain industries where they're not allowed to switch between apps on a mobile phone. For example when trying to find their Authenticator app or checking their SMS/email for a TOTP.

Which countries are these?

> And finally, it is phishing resistant. You can phish for a users TOTP. You can't with a data connection the mobile device itself has to make over cellular data to the mobile network operator directly.

What if the user is using a VPN?

link
GregHolmes 1401 days ago
Sorry, answering to your other questions. We are ever increasing coverage, but currently have quite a number of countries in Europe, most of India covered, Canada is covered. the US is in progress.
link