Hacker News new | ask | show | jobs
by Too 808 days ago
SMS is magnitudes less secure than the Secure Enclave in my phone.

Fallback should never be the weakest link in a security chain. Especially not in something as high stakes as your banking login.

I can’t remember how I got my first bank token in my phone. Probably by physically showing up in the bank office with my id.
3 comments
The_Colonel 808 days ago
SMS 2FA is not great, but still seems to be more secure than a rooted phone.

If your SMS OTP leaks to the attacker, they still need to know the first factor (password, biometrics) to gain access.

Meanwhile, if your rooted phone is controlled by an attacker ... that's it, the attacker has everything.

link
Too 808 days ago
Fair. I still wouldn’t want to have such a fallback available by default. Being stronger than an even worse option doesn’t change that. Because it eliminates the security of the strongest option.
link
didntcheck 808 days ago
Agreed. Unfortunately almost every bank here forces me to use this less secure option "for security" due to my rooted phone. Not one has just offered standard TOTP (perhaps because the pull-only nature of it means they can't present the message explicitly telling the user what they're about to authorize. Which is an understandable qualm I guess)
link
eganist 808 days ago
> SMS is magnitudes less secure than the Secure Enclave in my phone.

The secure enclave on a rooted phone that no longer has execution integrity?

link