Hacker News new | ask | show | jobs
by rkeene2 1052 days ago
How is SMS two factor when email is not ?

Separate from that, it is not productive for you to tell me to think about it more -- for all you know I've implemented two factor authentication in various forms for decades (from OPIE when I worked at NRL to Smartcards within DOD to Passkeys currently). What would be more productive is to get more insight into what you're thinking
1 comments
weird-eye-issue 1050 days ago
If you have access to somebody's email you can just click reset password and then click the "2FA" in their email and then you have access to their account

Does that happen with SMS? Hmm...

link
rkeene2 1050 days ago
The same situation seems to be true of SMS, if you have gained access to their account then you can use that to perform 2FA as well. In this situation, it doesn't seem to be significantly different in terms of security.

To answer your question on whether or not people access other people's SMS accounts -- yes! That's one reason it's not recommended any longer. Additionally, there's often less security possible for ones SMS account versus ones email account.

link
weird-eye-issue 1049 days ago
...

You would have to get access to their email and SMS to perform a password reset and get past 2FA. If you are saying you could do a SIM swap attack simply by having access to their email I think that is not that practical at all.

> To answer your question on whether or not people access other people's SMS accounts -- yes!

What? I never asked that? What are you even talking about?

link
rkeene2 1044 days ago
It's really unclear to me why you think that email would be involved in any other capacity than 2FA in this scenario.

Are you imagining that email is used in some other additional way in the authentication process, such as account recovery ?

link
weird-eye-issue 1042 days ago
You've never done a password reset? That goes to your email. If your 2FA is over email too then that isn't 2FA. Because you only need the email to take over an entire account
link
rkeene2 1033 days ago
So I see the problem now, your model includes a hidden assumption that password resets go to email -- this is not always the case.
link