[omh]

The article conflates two issues that have different security implications.

The "1-click login" links are a concern and just having access to the SMS would be enough to take over things like WhatsApp.

But 2FA codes seem notably less worrying. They are the second factor and require an attacker to have the password too. For these cases I'm much more relaxed about the use of SMS and the risks of interception.

[pphysch]

> They are the second factor and require an attacker to have the password too.

For every leaked database of SMS messages there are 1000 leaked databases of account credentials

[omh]

Good point.

But what's the threat model here?

I didn't think of 2FA as being protection against password reuse. People should still avoid reusing passwords and change them if they know of a breach.

Are there really attackers who are picking up breach databases and then sim-swapping to get the 2FA as well?

[samspot]

I think 999 of those databases are the same data set. I lost a password ten years ago from a blog breach and I get almost a monthly notification about it showing up again and again.