|
|
|
|
|
|
by addingnumbers
1372 days ago
|
|
|
> most websites/companies will quite happily let the impostor click a "Forgot password" link and get a SMS code to verify their identity That's not 2FA. There is one single factor there, the SMS code. SMS 2FA does not require you to have a 1FA backdoor, so you can't claim the latter is an inherent fault of the former. For example, pairing "enter the SMS code" with "click the link we sent to your backup e-mail address" gets you a two-factor password recovery process. That isn't the best or only method of 2FA password resets, it just comes to mind first because it's the last one I used and it is sufficient to prevent access via SIM hijacking alone. |
|
|
I do feel though that SMS porting is such a lax system that using it as an authentication factor leads you into a lot of (SMS && social-engineering) situations that would be more preventable if SMS was not involved.
I say this fully realising that in this scenario the party allowing allowing these attacks to work due to poor understanding or lack of proper checks is the real problem.