undefined | Better HN

0 pointshombre_fatal6y ago0 comments

Nope, not if it introduces common customer support backdoors.

0 comments

zulln6y ago

If it is enough with access to the phone number, no password needed, then it is no longer 2FA.

Thorrez6y ago

Sure, but 17 websites do this. For those websites you introduce significant weaknesses if you enable SMS 2FA.

https://www.issms2fasecure.com/

robbya6y ago

Sure, everything that has a backdoor is bad. But what does that have to do with SMS 2FA?

Surely SMS 2FA (without a backdoor) is better than nothing. Sites should still offer something better than SMS for 2FA as it has widely documented issues. But as an end user presented with SMS 2FA or no 2FA; SMS 2FA is the safer option.

Is there a reason to assume an arbitrary SMS 2FA implementation would have a back door? That would be news to me.

colechristensen6y ago

The back door is either automatic or human account recovery tools.

These tools generally put way too much trust into the phone number and allow someone who has compromised that number to take control of anything it has ever touched.

Phone numbers are very public and easy to steal in ways which are difficult to defend against.

Imagine someone in a domestic abuse situation having their phone taken, with sms 2fa, how hard would it be for that person to recover and retain access to their accounts and services?

With SMS 2FA someone who knows you personally and has control of your phone number is nearly impossible to escape.

All the adversary has to do is say "oh this was linked to my old number" and account support is super likely to just give access away.

You would have to be somewhat of an opsec expert to escape that hell, and even if you know everything it becomes impossible to defend yourself against the owners of your accounts giving access away.

The only real defense is to never associate your phone number with personal accounts which even then is often not possible.

robbya6y ago

You're talking about account recovery, not 2FA. A website can use my phone number for account recovery even if I'm not using SMS as 2FA.

I agree with everything you said about SMS for account recovery.

Account recovery that uses a phone number is weak. There was a paper on HN this week that detailed this.

However, if we are going to compare SMS 2FA (I.E. password plus code sent over SMS) against just password, SMS 2FA wins. In both cases I need to steal your password, the SMS part is an added challenge although it's easier to bypass than many people want.

Given SMS 2FA and any other 2FA option, SMS 2FA loses.

1 more reply

robbya6y ago

> Imagine someone in a domestic abuse situation

Depending on how abusive you are thinking, that sounds like rubber hose cryptanalysis. That's a hugely powerful approach and I think all 2FA can be bypassed with that, if not most of modern cryptography.

https://en.m.wikipedia.org/wiki/Rubber-hose_cryptanalysis

> having their phone taken

Keep in mind that other 2FA methods also are phone based, like TOTP / Google Authenticator. Those also fail if your unlocked phone is taken. SMS is even weaker than those, but still better as a second factor versus nothing.

1 more reply

j / k navigate · click thread line to collapse