undefined | Better HN

0 pointsmikeash7y ago0 comments

It should be noted that using SMS as a second authentication factor is always more secure than just using a password. As long as you understand its limitations, it makes things more secure.

Where so many companies go wrong with SMS “2FA” is by treating it as an alternate authentication method, rather than as a second factor. If you can reset the account password over SMS then you’re boned.

0 comments

8 comments · 2 top-level

tptacek7y ago· 4 in thread

It's not more secure if you use SMS as a 2nd factor and then reuse passwords everywhere, which is a thing a lot of people do.

nolok7y ago

I'm not sure I fully agree, in a situation where you reuse passewords everywhere, having SMS 2FA on top of it is still more secure that no 2FA at all, it makes it harder/more costly to break through.

My understanding of it is if you can use anything other than SMS 2FA then use that and remove SMS, but if your choice if between no 2FA or SMS 2FA then go with SMS. Also, use it stictly as 2FA, not as identity.

This is not my area of expertise so if I'm wrong I would genuinely like to understand why.

tptacek7y ago

I don't think I'm being clear. I'm saying that in the presence of SMS 2FA, people use weaker passwords than they would otherwise. The SMS 2FA itself weakens their security: they remain vulnerable to targeted attacks and gain a vector for targeted attacks.

1 more reply

alex_anglin7y ago

I'd suggest that it is, but not as secure as alternatives others have discussed.

.. which isn't to suggest either password reuse or SMS TFA is a good idea.

SaltySolomon7y ago

Yeah, because not using a second factor is less secure than using even a middling one?

foepys7y ago· 2 in thread

Not necessarily. Some services allow you to reset your forgotten password with a 2FA token. If your 2FA token comes by SMS, your account security relies solely on SMS. Yes, this bad practice. Yes, you should not do that. Yes, you actually only have a single factor then. But some do it that way, so don't use SMS.

mikeashOP7y ago

That’s the whole point of my second paragraph. SMS 2FA is fine, but SMS recovery masquerading as 2FA is not.

ReverseCold7y ago

> Some services allow you to reset your forgotten password with a 2FA token

Don't do this either. It makes 2FA into 1FA.

j / k navigate · click thread line to collapse