[denhaus]

Am I the only one who just cannot STAND MFA? Having to get a notification text etc. Like what if I don’t want to give an app capability to notify my phone? What if I want something totally NOT connected to my phone?

I just envision a future where there is some near-circular dependency of passwords/phrases/notifications/authenticators/keys/email verifications etc across different devices and services - the end result is that it is absolute PiTA to log into anything or recover any account if anything is ever lost. Sort of an endless personal bureaucracy for authentication. It’s a future I am personally trying to avoid at all costs

Yubikeys etc seem like something I could potentially get behind, but it still doesn’t seem perfect persay… anyway, maybe I am just a geezer

[mightybyte]

Passwords, credit card numbers, social security numbers, etc are old outdated technology that can't go away fast enough. They're unfixably insecure...identifying yourself to someone by giving your secret identifying information to them immediately allows them to impersonate you! We've had the technology to fix this problem for close to 50 years now: public-key cryptography. We can't get to a password-less world fast enough IMO.

I know a lot of HN doesn't have much use for blockchain, but if there's one thing that blockchain has done for the world it's been to substantially spur the use and development of public-key auth systems, especially on the UX front. This is because it had no choice. If you try to use an inherently broken password auth system for completely decentralized digital currency, it will immediately descend into unusable chaos because of the vulnerability. Traditional finance (credit cards), government identification systems (social security), etc have so much existing infrastructure that innovating in this area is hugely costly and slow, but it's absolutely the direction we need to go.

[yakubin]

I’d think SSH (indirectly: git) and TLS would be more widespread applications of public key cryptography.

[krageon]

TLS, yes definitely. SSH/git, no probably not - most people do not use these things.

[yakubin]

Still more than blockchain.

[LopovJack]

What you are talking about? I reset user's forgotten passwords daily. People can't remember simplest of passwords and you can easily ask them to give you their passwords if you are persuasive enough. Human brain is weakest link not passwords, credit card numbers or social security numbers. They are just fine and will be for a long time.

[Tidal5474]

MFA is not going away, but neither is it going to become what you are describing.

MFA using an SMS is not secure.

If people reliably made good passwords and never reused them, we probably wouldn't need MFA as much.

Unfortunately, we live in a society. Bitwarden will remember your TOTP codes for you across any device you login from. It will even copy the code to you paste buffer during a login.

I enable MFA everywhere i can, even for stupid stuff. Its just not an inconvenience using bitwarden.

[jbverschoor]

and if developers would always mitigate brute force attacks/limit the amount of attempts you can do.not limit the amount of accounts you can try to access from a single source

and it’s all developers will give you the tools to check every login session, including ip addresses used, and number of failed attempts

and off everybody uses full disk encryption and other measures so that your passwords cannot be stolen, such as only use signed applications and proper sandboxes

[martin_a]

> MFA using an SMS is not secure.

Why not? Is it that easy to intercept a SMS or is that just due to poor handling with some providers?

[phantomathkg]

Yes it is.

https://blog.mozilla.org/en/internet-culture/mozilla-explain...

[UncleMeat]

SIM-swap is a real thing, but it has an unreasonably large amount of mindshare in discussions about login security in non-security communities. Phishing is a gazillion times more common because it actually scales. Both SMS and TOTP are equally weak to phishing, yet people frequently shit on services for using SMS and not TOTP.

SMS has weaknesses. Especially if you are a particularly high-interest target. But the benefit of "everybody already has a phone" is immense and the true recovery mechanism for "oh shit I dropped my phone in the toilet" is valuable. Something like a yubikey is the complete solution to login problems that don't involve malware or some security vuln, but they are an extra thing that people need to buy so the pathway to "everybody uses a yubikey" is a mess.

Both Android and iPhone are now offering similar functionality though phones, which mitigates the "you need to buy a new thing" problem, though it is harder to set up an effective backup here.

[martin_a]

But this comes down to bad security practices at the telco, doesn't it?

I don't know about other countries, but you can't even buy/activate SIM cards in Germany without "proper" identification through VideoIdent or another system where your passport is checked against. At least that's what I remember.

I'm not sure any type of "I've lost my SIM, please use this one" would work on German carriers without proper ID.

Moving numbers als requires some kind of paperwork, it's not that easy after all.

So... Is this a telco problem or a SMS problem?

[hackerman123469]

Sort of yeah, it wouldn't be possible with my carrier for example as they would just tell you "login online and swap it" because things like switching sim etc. is just something you do there and not something you call them about. And to login to the website you must use the national 2factor authentication.

So essentially they would have to breach the national 2factor authentication system first here.

And there is absolutely no way that you could "social engineer" the guy on the other end of the phone who works for the telecompany as there is no way you shouldn't be able to use their online tools.

[aewens]

No the parent, but I’m assuming they’re referring to the East of SIM spoofing to convince providers you’re another phone number that’s not your own.

[dankwizard]

More commonly referred to as Sim Swapping.

If you ever notice you lose connection to your carrier: begin to worry.

[SturgeonsLaw]

Yep it is that easy, often all it takes is a suitably phrased "please give me control of this phone number" in a telco's support live chat

[martin_a]

See the other comment, it looks like this problem boils down to very bad security practices at the telcos but not a general problem with SMS itself.

[_8j50]

That's why I like TOTP, you can use a phone (i have a dedicated disconnected phone for it) or an rpi, hardware dongle,etc.. but it is phishable

[flippinburgers]

You should give yubikeys a try.