undefined | Better HN

0 pointsQUFB7y ago0 comments

Agreed, but keep account recovery in mind.

Account recovery is a major pain point for any site that supports TOTP 2FA. If you're not using a TOTP application that supports cloud backup (like Authy), when you lose or replace your mobile device the existing TOTP tokens are useless as they can't be recovered. This results in some type of account recovery process to reintroduce the 2FA tokens. Often these recovery processes introduce additional security issues that are equivalent to not supporting 2FA at all, or they might require costly human intervention.

Don't get me started on SMS 2FA.

0 comments

drchickensalad7y ago

I'd like to get you started on SMS 2fa. I deal with this a lot at work and would like as much information as possible!

jandrese7y ago

SMS is terribly insecure. Using it as a security system is a bad idea.

SMS verification is more for discouraging bots from making accounts by making it expensive--you need to buy a cell phone. Every SMS verification system refuses to send to VoIP type accounts for this reason.

jsoverson7y ago

Couple this with the fact that mobile services are also subject to credential stuffing attacks constantly and, for the services that allow you to read SMS messages online, the attackers who take over your mobile account also gain a critical piece of your 2FA protection.

davchana7y ago

Exactly that's why I have disabled my Google email recovery via phone number. Only possibilities are Auth via an existing signed-in device, Google Auth, or backup codes.

davchana7y ago

I always save that TOTP Token or QR code in my seperate keepass database, so that if my Google Auth app breaks for any reason, I can install it fresh & re-scan those QRs from keepass.

j / k navigate · click thread line to collapse

0 pointsQUFB7y ago0 comments

Agreed, but keep account recovery in mind.

Don't get me started on SMS 2FA.

0 comments

drchickensalad7y ago

I'd like to get you started on SMS 2fa. I deal with this a lot at work and would like as much information as possible!

jandrese7y ago

SMS is terribly insecure. Using it as a security system is a bad idea.

jsoverson7y ago

davchana7y ago

Exactly that's why I have disabled my Google email recovery via phone number. Only possibilities are Auth via an existing signed-in device, Google Auth, or backup codes.

davchana7y ago

I always save that TOTP Token or QR code in my seperate keepass database, so that if my Google Auth app breaks for any reason, I can install it fresh & re-scan those QRs from keepass.

j / k navigate · click thread line to collapse